Wrap rust-cli with python

[clangenb]

After integritee-network#1183 has been merged, we can now wrap the rust-cli lib with python. however, there are still some issues left, as the lib needs some sgx-crypto c-libraires:

error: could not find native static library `sgx_tcrypto`, perhaps an -L flag is missing?

   Compiling crossbeam-deque v0.8.3
error: could not compile `sgx_ucrypto` due to previous error

For this, we'd actually need to remove the sgx-crypto entirely. We have discussed this in integritee-network#1167. I will follow up over there.

Blocked by

• Upgrade worker to upstream #45

[clangenb]

With the current state of the worker, we need a patch, which is nasty, but it should work. If we want to streamline this by introducing a feature flag as discussed in integritee-network#1167 (comment), this needs some work, which would be invoiced by integritee.

[j-ti]

I tried the patch, but get an error (using linux):

   Compiling sgx_crypto_helper v1.1.6 (/home/xxx/incubator-teaclave-sgx-sdk/sgx_crypto_helper)
warning: unused import: `sgx_types::sgx_status_t`
 --> /home/xxx/incubator-teaclave-sgx-sdk/sgx_crypto_helper/src/rsa3072.rs:6:5
  |
6 | use sgx_types::sgx_status_t;
  |     ^^^^^^^^^^^^^^^^^^^^^^^
  |
  = note: `#[warn(unused_imports)]` on by default

   Compiling itp-sgx-externalities v0.9.0 (/home/xxx/worker/core-primitives/substrate-sgx/externalities)
error[E0599]: no method named `to_pubkey` found for struct `Rsa3072PubKey` in the current scope
   --> /home/xxx/incubator-teaclave-sgx-sdk/sgx_crypto_helper/src/rsa3072.rs:298:27
    |
253 | pub struct Rsa3072PubKey {
    | ------------------------ method `to_pubkey` not found for this struct
...
298 |         let pubkey = self.to_pubkey()?;
    |                           ^^^^^^^^^ method not found in `Rsa3072PubKey`

warning: unused import: `crate::RsaKeyPair`
  --> /home/xxx/incubator-teaclave-sgx-sdk/sgx_crypto_helper/src/rsa3072.rs:17:5
   |
17 | use crate::RsaKeyPair;
   |     ^^^^^^^^^^^^^^^^^

For more information about this error, try `rustc --explain E0599`.
warning: `sgx_crypto_helper` (lib) generated 2 warnings
error: could not compile `sgx_crypto_helper` due to previous error; 2 warnings emitted
warning: build failed, waiting for other jobs to finish...

Which is weird as the patch-code at the stated /home/xxx/incubator-teaclave-sgx-sdk/sgx_crypto_helper/src/rsa3072.rs from 283 to 296 clearly implements to_pubkey.

My tree is

sgx_crypto_helper v1.1.6 (/home/xxx/incubator-teaclave-sgx-sdk/sgx_crypto_helper)
├── integritee-cli v0.9.0 (/home/xxx/worker/cli)
│   └── integritee_cli_py v0.1.0 (/home/xxx/integritee_cli_py)
├── itc-rpc-client v0.9.0 (/home/xxx/worker/core/rpc-client)
│   └── integritee-cli v0.9.0 (/home/xxx/worker/cli) (*)
└── itp-sgx-crypto v0.9.0 (/home/xxx/worker/core-primitives/sgx/crypto)
    └── integritee-cli v0.9.0 (/home/xxx/worker/cli) (*)

[n-prat]

It does, but it is behind a feature.

You need at least sgx_crypto_helper ... features = ["crypto_direct"] somewhere.

[j-ti]

Thank you for the hint however, when adding it to the my Cargo.toml I still get the same error for some reason.

[j-ti]

@n-prat before the error appears, I get warnings of skipped duplicate packages of teaclave-sgx-sdk despite the patch. Maybe this is messing up the dependencies, did I use the incubator-teaclave repo correctly as patch for the teaclave dependency?

Even if I remove the duplicate manually, cargo build loads teaclave from another source also. I currently use the integritee worker at ea00ebe with the updated client lib. Is there another worker client branch that I could/should test it with?

[j-ti]

Error and duplicate-package-warning persist also when patch is added to https://github.com/olisystems/BEST-Energy/blob/ea00ebea9f2df900fcb389d51eb00c710e3e0fc9/cli/Cargo.toml

[n-prat]

Ah we seem to have a different use cases:

• you are trying to compile integritee-cli in this repo directly for non-sgx right?
• I am using integritee-cli as a dependency in some Android library
  That being said, the patch(es) should still work.

The relevant part of my workspace Cargo.toml:

[patch."https://github.com/apache/teaclave-sgx-sdk.git"]
# itc-rpc-client = { path = "../integritee-worker/core/rpc-client/" }
# TODO ideally we would directly use this patched version from `integritee-cli`
# but it is quite a mess to make it work both from repo `integritee-worker` and here
sgx_crypto_helper = { path = "./shared/rust/deps/teaclave-sgx-sdk/sgx_crypto_helper/" }

[patch.crates-io]
# TODO re-add for bevy 0.9? or not needed anymore
# NOTE: patch DOES NOT work except at the Workspace level??
# bevy_render = { path = './shared/rustrenderer/patch/bevy_render-0.7.0' }

# wasmtime-runtime: we MUST patch to make it compatible with Android Emulator
# error: unsupported platform
#    --> /home/XXX/.cargo/registry/src/github.jparrowsec.cn-1ecc6299db9ec823/wasmtime-runtime-6.0.2/src/traphandlers/unix.rs:235:13
#     |
# 235 |             compile_error!("unsupported platform");
# SHOULD match https://github.com/paritytech/substrate/blob/master/primitives/wasm-interface/Cargo.toml
# NOTE: we NEED to patch "wasmtime-runtime" but to avoid error like "note: perhaps two different versions of crate `wasmtime_environ` are being used?"
# the easiest thing to do is patch the "main lib"
# NOTE: for the PATCH the work, it MUST be a the correct version(= git tag)
# wasmtime-runtime = { path = "../wasmtime/crates/runtime/" }
# wasmtime-environ = { path = "../wasmtime/crates/environ/" }
# MUST ALSO SET "[workspace.dependencies]" below
# because this is a workspace and all versions are inherited...
wasmtime-runtime = { path = "./shared/rust/deps/wasmtime/crates/runtime/" }

[patch."https://github.com/integritee-network/pallets.git"]
sgx-verify = { path = "./shared/rust/deps/integritee-pallets/teerex/sgx-verify/" }
# 161 |                 Enclave::new(
#     |                 ------------ arguments to this function are incorrect
# ...
# 166 |                     report.build_mode,
#     |                     ^^^^^^^^^^^^^^^^^ expected enum `teerex_primitives::SgxBuildMode`, found a different enum `teerex_primitives::SgxBuildMod
teerex-primitives = { path = "./shared/rust/deps/integritee-pallets/primitives/teerex/" }

################################################################################
# only needed because "wastime" is using workspace inheritance
# copy-pasted from: https://github.com/bytecodealliance/wasmtime/blob/00fd7bc4d1ce64feb3ca82161216721b740ec571/Cargo.toml#L112
[workspace.dependencies]
...

and then in the Android lib crate:

# default-features to disable all std related code?
# "you can basically only use the compose_extrinsic_offline macro."
# maybe see https://github.com/scs/substrate-api-client/issues/166 ?
# substrate-api-client = { git = "https://github.com/scs/substrate-api-client.git", default-features = false, branch = "polkadot-v0.9.36" }
# [windows] error: failed to run custom build command for `openssl-sys v0.9.73
# Still fails even with Perl(strawberry) cf README
# So for now install Android Studio inside WSL2...
# ALSO "vendored" COULD BE needed b/c "/bin/sh: line 1: aarch64-linux-android-ranlib: command not found" https://github.com/sfackler/rust-openssl/issues/1830
openssl = { version = '0.10', features = ["vendored"] }
# those are for the examples cf https://github.com/scs/substrate-api-client/blob/master/Cargo.toml
# but here need them as part of our public API
# TODO cleanup eg MAYBE we need sp-core NOT the full node-template-runtime
# env_logger = "0.9.0"
# node-template-runtime = { git = "https://github.com/paritytech/substrate.git", branch = "master" }
sp-keyring = { default-features = false, git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.39" }
# clap = { version = "2.33", features = ["yaml"] }
# wabt = "0.10.0"

sp-std = { default-features = false, git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.39" }
sp-core = { default-features = false, features = ["full_crypto"], git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.39" }

# local
common = { path = "../common" }
integritee-cli = { git = "https://github.com/Interstellar-Network/integritee-worker.git", branch = "interstellar", features = ["sidechain"] }
# FIX: force correct features for this dep
sgx_crypto_helper = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git", features = ["crypto_direct"] }

Can you push your WIP to a public branch? And give the commands you're trying to use to compile your project?

What is the result of cargo tree -i sgx_crypto_helper -e all? Are you sure you only have one set of teaclave dependencies?

[...]
warning: skipping duplicate package `PCKIDRetrievalTool` found at `/home/pratn/.cargo/git/checkouts/teaclave-sgx-sdk-be25c2ad2f03718d/f1776a7/samplecode/dcap-pckretrieval/enclave`
sgx_crypto_helper v1.1.6 (/home/pratn/workspace/interstellar/wallet-app/shared/rust/deps/teaclave-sgx-sdk/sgx_crypto_helper)
└── itp-sgx-crypto v0.9.0 (/home/pratn/workspace/interstellar/integritee-worker/core-primitives/sgx/crypto)
    ├── itp-sgx-crypto feature "default"
    │   └── integritee-cli v0.9.0 (/home/pratn/workspace/interstellar/integritee-worker/cli)
    │       ├── integritee-cli feature "default"
    │       │   └── substrate-client v0.1.0 (/home/pratn/workspace/interstellar/wallet-app/shared/rust/substrate-client)
    │       │       ├── substrate-client feature "default" (command-line)
    │       │       │   [dev-dependencies]
    │       │       │   └── renderer v0.1.0 (/home/pratn/workspace/interstellar/wallet-app/shared/rust/renderer)
    │       │       │       └── renderer feature "default" (command-line)
    │       │       └── substrate-client feature "std"
    │       │           └── substrate-client feature "default" (command-line) (*)
    │       └── integritee-cli feature "sidechain"
    │           └── substrate-client v0.1.0 (/home/pratn/workspace/interstellar/wallet-app/shared/rust/substrate-client) (*)
    ├── itp-sgx-crypto feature "serde"
    │   └── itp-sgx-crypto feature "std"
    │       └── itp-sgx-crypto feature "default" (*)
    ├── itp-sgx-crypto feature "serde_json"
    │   └── itp-sgx-crypto feature "std" (*)
    └── itp-sgx-crypto feature "std" (*)
├── sgx_crypto_helper feature "crypto_direct"
│   └── substrate-client v0.1.0 (/home/pratn/workspace/interstellar/wallet-app/shared/rust/substrate-client) (*)
├── sgx_crypto_helper feature "default"
│   ├── integritee-cli v0.9.0 (/home/pratn/workspace/interstellar/integritee-worker/cli) (*)
│   ├── itc-rpc-client v0.9.0 (/home/pratn/workspace/interstellar/integritee-worker/core/rpc-client)
│   │   └── itc-rpc-client feature "default"
│   │       └── integritee-cli v0.9.0 (/home/pratn/workspace/interstellar/integritee-worker/cli) (*)
│   └── substrate-client v0.1.0 (/home/pratn/workspace/interstellar/wallet-app/shared/rust/substrate-client) (*)
│   └── itp-sgx-crypto feature "std" (*)
├── sgx_crypto_helper feature "libc"
│   └── sgx_crypto_helper feature "ucrypto_help"
│       └── sgx_crypto_helper feature "default" (*)
├── sgx_crypto_helper feature "num-bigint"
│   └── sgx_crypto_helper feature "crypto_direct" (*)
├── sgx_crypto_helper feature "rand"
│   └── sgx_crypto_helper feature "crypto_direct" (*)
├── sgx_crypto_helper feature "rsa"
│   └── sgx_crypto_helper feature "crypto_direct" (*)
├── sgx_crypto_helper feature "serde"
│   └── sgx_crypto_helper feature "ucrypto_help" (*)
├── sgx_crypto_helper feature "serde-big-array"
│   └── sgx_crypto_helper feature "ucrypto_help" (*)
├── sgx_crypto_helper feature "serde_derive"
│   └── sgx_crypto_helper feature "ucrypto_help" (*)
├── sgx_crypto_helper feature "sha2"
│   └── sgx_crypto_helper feature "crypto_direct" (*)
└── sgx_crypto_helper feature "ucrypto_help" (*)

[j-ti]

Thank you, I tried both, I am also using integritee-cli as dependency. So as it seems I am not having one set of teaclave dependency, but do not know how to resolve it, if necessary. That is why I just tried, if specifying the patch in the dependency itself rather than the projects Cargo.toml only.

cargo tree -i sgx_crypto_helper -e all :

[...]
warning: skipping duplicate package `Helloworldsampleenclave` found at `/home/timo/.cargo/git/checkouts/teaclave-sgx-sdk-be25c2ad2f03718d/a6a172e/samplecode/prost-protobuf/enclave`
sgx_crypto_helper v1.1.6 (/home/timo/dev/tee/incubator-teaclave-sgx-sdk/sgx_crypto_helper)
└── itp-sgx-crypto v0.9.0 (/home/timo/dev/tee/worker/core-primitives/sgx/crypto)
    ├── itp-sgx-crypto feature "default"
    │   └── integritee-cli v0.9.0 (/home/timo/dev/tee/worker/cli)
    │       └── integritee-cli feature "default"
    │           └── integritee_cli_py v0.0.1 (/home/timo/dev/tee/integritee_cli_py)
    │               └── integritee_cli_py feature "default" (command-line)
    ├── itp-sgx-crypto feature "serde"
    │   └── itp-sgx-crypto feature "std"
    │       └── itp-sgx-crypto feature "default" (*)
    ├── itp-sgx-crypto feature "serde_json"
    │   └── itp-sgx-crypto feature "std" (*)
    └── itp-sgx-crypto feature "std" (*)
├── sgx_crypto_helper feature "default"
│   ├── integritee-cli v0.9.0 (/home/timo/dev/tee/worker/cli) (*)
│   └── itc-rpc-client v0.9.0 (/home/timo/dev/tee/worker/core/rpc-client)
│       └── itc-rpc-client feature "default"
│           └── integritee-cli v0.9.0 (/home/timo/dev/tee/worker/cli) (*)
│   └── itp-sgx-crypto feature "std" (*)
├── sgx_crypto_helper feature "libc"
│   └── sgx_crypto_helper feature "ucrypto_help"
│       └── sgx_crypto_helper feature "default" (*)
├── sgx_crypto_helper feature "serde"
│   └── sgx_crypto_helper feature "ucrypto_help" (*)
├── sgx_crypto_helper feature "serde-big-array"
│   └── sgx_crypto_helper feature "ucrypto_help" (*)
├── sgx_crypto_helper feature "serde_derive"
│   └── sgx_crypto_helper feature "ucrypto_help" (*)
└── sgx_crypto_helper feature "ucrypto_help" (*)

I uploaded some minimal code here, which should just showcase that the the integritee-cli can be wrapped in a python library: [email protected]:BESTenergytrade/integritee-cli-py.git

I currently cloned
the worker at commit ea00ebe
and the incubator-teaclave-sgx-sdk at branch interstellar-direct-client-android
in folders parallel to the integritee-cli-py repo

I run the commands as described in the README, with maturin develop, but also cargo build fails in the same manner.

[n-prat]

Ah I think the issue is with the features, clearly the wrong one(ucrypto_help) is active. You CAN NOT use it on patch, this is ignored.

This is why I have added a "fake dependency" in my Android lib:

# FIX: force correct features for this dep
sgx_crypto_helper = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git", features = ["crypto_direct"] }

[j-ti]

Thank you @n-prat, it solved my issue!

I also had the wasmtime issue, maybe similar to what you mentioned here:

NOTE: previously I had an issue with wasmtime but since I rebased on a recent branch this is not needed anymore.

I did not fully understand what source you rebased to remove the issue, but for me rust rustup target add --toolchain nightly wasm32-unknown-unknown solved the error[E0463]: can't find crate for std .

[n-prat]

Great!

The wasmtime patch is only relevant for Android: the error looks like this.
You don't need to worry about it if you are compiling for desktop; but keep it in mind in case you want to cross-compile in the future.