We are excited to announce the release of version 0.3.0 of our oblv CLI 📢! We continuously aim to improve our product concerning ease of customer workflow, adding useful features, and minimizing critical bugs to make our product intuitive to use, more stable, and less vulnerable.
Keeping that in mind, here is what's new in our latest 0.3.0 version.
New keygen command added
As part of improving our customer workflow, we have integrated the generation of public/private key pairs. The user can now create the keys using the CLI itself (as opposed to having separate keygen scripts for different platforms before). This provides a uniform experience across all platforms and offers additional flexibility where the user can now specify the name and output path of the generated key pair. More details about the command are available in our dev docs here.
Encryption of URL query parameters
With our continuous effort on enhancing privacy and security, the release includes the encryption of URL query parameters for an HTTP request method. So for example, if a GET request contains any sensitive information in its optional query parameters, it will be encrypted using a symmetric key before communicating with the cloud infrastructure. The oblivious proxy then decrypts the parameters inside the enclave before forwarding the HTTP request to the client application.
Let's illustrate this with an example. Suppose the user wants to send a GET request with some sensitive information in the query parameters:
The CLI ensures the parameters are encrypted and this is the request we will be seeing when we observe the network:
As you can see the endpoint of the GET request looks like this: /test/?gAAAAABixcdl1JUrsKsBmL0eV1q0S_SupLNQDMjyDYSq71_0CQmjQkmseuCUT7RVL0VvRMCLcT9a_Ivk8tOJ1oRzoaXN7UIUaiEZcnAVxpP29A6yx2B2Hlk= where the parameter string is encrypted.
Capability to make multiple outbound calls from the enclave
This is a useful feature that enables client applications running inside the enclave to make outbound calls to multiple external endpoints. Each outbound connection routes via a separate network port and the client application can communicate with the external endpoint over a secure TLS connection without having to trust the infrastructure provider.
Allowlisting authorized endpoints
In conjunction with the above outbound calls feature, it includes the capability to allowlist only specific FQDNs that the client application is allowed to talk to. This acts as a firewall eliminating situations where the client applications inside the secure enclaves may inadvertently make outbound calls to unauthorized endpoints.
CLI updated to a static binary
The oblv CLI is now a statically linked binary that comes pre-bundled with libraries such as OpenSSL. This eliminates the earlier dependency on a particular version of OpenSSL required to be installed in the OS as part of prerequisites.
We have also integrated required SSL certificates into the binary itself that were earlier shipped separately with the binary. The current folder structure can be found in our developer documentation here.
API to interact with AWS KMS using cryptographic attestation
We have updated the CLI enabling integration with AWS KMS. The client application running inside the enclaves can call a kms-decrypt API to decrypt data that was encrypted using an AWS KMS symmetric CMK.
This allows the client application to take advantage of pre-built integrations with AWS KMS which can validate enclave attestations and only allows operations if the enclave attestation document is valid and conforms to the user-defined KMS policies. The client application can set up end-to-end encryption with KMS calling the API and decrypt the encrypted sensitive data received within the enclave.
Bug fixes and additional improvements
- Fixed an issue where if the user wants to run the CLI in debug mode, then they don't need to supply the PCRs which become optional in debug mode.
- Updated third-party libraries aimed at reducing security vulnerabilities.
Hope you find this useful!
If you require any additional clarifications or have any thoughts to share, please feel free to reach us over at Slack.
Any additional feature requests or bugs you would like us to address, please add them here!