- About
- System Requirements
- Build EPID Verification service Jar File
- Generate keystores
- Run EPID Verification service
This document can be used as a quick guide to build and run the FIDO Device Onboard (FDO) EPID Verification service. FDO EPID Verification service is a software service that assists FDO Rendezvous service and FDO Owner service to perform device signature verification for devices using EPID based device attestation.
- Ubuntu (22.04, 20.04) / RHEL 8.4 / Debian 11.4. +
- Maven.
- Java 11.
- Curl.
- GCC 4.9.
- Cmake.
- Make.
- Swig.
- Unzip.
- Docker Engine 20.10.X / Podman Engine. (Optional)
- Docker-compose 1.21.2 / Podman-compose 0.1.5. (Optional)
+Supported Host operating Systems.
NOTE: Use the following commands to enable EPID Verification Service support on RHEL.
bash ./enable_rhel_support.sh
grep -qxF 'export PODMAN_USERNS=keep-id' ~/.bashrc || echo $'\nexport PODMAN_USERNS=keep-id' >> ~/.bashrc
grep -qxF 'export BUILDAH_FORMAT=docker' ~/.bashrc || echo $'\nexport BUILDAH_FORMAT=docker' >> ~/.bashrc
source ~/.bashrc
For the instructions in this document, refers to the path of the EPID Verification Service source folder epid-verification-service.
EPID Verification Service source code is organized into the following sub-folders.
-
Jenkins: It contains files for building service and running smoke test on the repo. -
Native: It contains JNI implementation for utilizing epid-sdk for performing EPID signature verification. -
certs: It contains sample key, certificate and keystore for running the service. -
src: It contains the springboot application for EPID Verification service.
export JAVA_HOME=<path-to-java-11-jdk>
The external dependencies are built in <epid-verification-service>/Native/src/service/dependencies folder. This folder needs to be created, if it doesn't exist.
EPID Verification service uses EPID SDK for performing signature verification of EPID based devices. Switch to <epid-verification-service>/Native/src/service/dependencies and run following commands to build EPID SDK.
NOTE: The latest version of EPID SDK compatible with EPID Verification service is v7.0.1.
$ git clone -b v7.0.1 https://github.com/Intel-EPID-SDK/epid-sdk
$ cd epid-sdk
$ chmod +x configure
$ ./configure
$ make all
$ make check
$ make install
EPID Verification service uses Google Test framework for performing sanity test of EPID JNI framework. Switch to \<epid-verification-service\>/Native/src/service/dependencies and run following commands to build Google Test framework.
NOTE: The latest version of Google Test framework compatible with epid-verification-service is release-1.7.0.
$ git clone -b release-1.7.0 https://github.com/google/googletest
$ cd googletest/make
$ make
To build EPID verification service, execute the following command.
$ mvn install
NOTE Maven build triggers the build script for JNI Native library.
To build only the JNI Native library, execute the following command.
$ cd <epid-verification-service>/Native
$ ./build.sh
To clean files generated by previous build, execute the following command.
$ mvn clean
To clean the files generated in previous build in the Native JNI library, execute the following command.
$ cd <epid-verification-service>/Native
$ ./build.sh --clean
To generate unit test metrics, execute the following command.
$ mvn clean verify
The code coverage report is stored in the directory ./target/site/jacoco/test/html
Keystore is used to store SSL certificates in the Java* programming language.
The example of keystore can be found in the directory 'certs'
keystore - "verification-service-keystore.p12"
Default passwords for keystore: ver!f!c@t!0n
Visit page for instructions on how to generate keystore and truststore.
Important:
- The keystore provided in this repository is for demonstration purpose only. This must be changed while performing production deployment.
JVM options can be set to configure EPID Verification Service:
| Java Option | Description |
|---|---|
| Hosts | |
| server.port | EPID Verification service host port (default: 1180). |
| Keystores | You can use default keystore or you can generate your own, please review section keystores |
| server.ssl.key-store | Keystore file (default: verification-service-keystore.p12) |
| server.ssl.key-store-password | Keystore password (default: ver!f!c@t!0n) |
| Miscellaneous | |
| crypto-material.path | Path to EPID Cryptomaterials |
| java.library.path | Location of JNI .so files (default: ./Native/build/epid_verifier:./Native/build/epid_verifier_wrap |
| spring.profiles.active | Spring profile for EPID Verification service (values: production, development) |
- To use external Verification Service from behind proxy, set the following JVM flags, more info here:
https.proxyPort
https.proxyHost
http.proxyPort
http.proxyHost
To run the EPID Verification Service, you can use epidVerificationService.sh.
$ bash epidVerificationService.sh
To check whether the EPID Verification Service is working properly run the following command:
$ curl --cacert ./certs/ca.cert.pem https://localhost:1180/health
Expected result:
{
"version": "1.1.8"
}