Skip to content

Commit 1ebe752

Browse files
atanzuatanzu
committed
Add tests for EIF signing
This commit adds tests cases to validate the signing functionality. Signed-off-by: Mark Kirichenko <[email protected]>
1 parent 486ee2d commit 1ebe752

File tree

2 files changed

+330
-2
lines changed

2 files changed

+330
-2
lines changed

tests/test_nitro_cli_args.rs

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,53 @@ mod test_nitro_cli_args {
337337
assert!(app.try_get_matches_from(args).is_err())
338338
}
339339

340+
#[test]
341+
fn sign_enclave_correct_command() {
342+
let app = create_app!();
343+
let args = vec![
344+
"nitro cli",
345+
"sign-eif",
346+
"--eif-path",
347+
"image.eif",
348+
"--signing-certificate",
349+
"cert.pem",
350+
"--private-key",
351+
"key.pem",
352+
];
353+
354+
assert!(app.try_get_matches_from(args).is_ok())
355+
}
356+
357+
#[test]
358+
fn sign_enclave_missing_certificate() {
359+
let app = create_app!();
360+
let args = vec![
361+
"nitro cli",
362+
"sign-eif",
363+
"--eif-path",
364+
"image.eif",
365+
"--private-key",
366+
"key.pem",
367+
];
368+
369+
assert!(app.try_get_matches_from(args).is_err())
370+
}
371+
372+
#[test]
373+
fn sign_enclave_missing_key() {
374+
let app = create_app!();
375+
let args = vec![
376+
"nitro cli",
377+
"sign-eif",
378+
"--eif-path",
379+
"image.eif",
380+
"--signing-certificate",
381+
"cert.pem",
382+
];
383+
384+
assert!(app.try_get_matches_from(args).is_err())
385+
}
386+
340387
#[test]
341388
fn build_enclave_with_metadata_correct_command() {
342389
let app = create_app!();

tests/tests.rs

Lines changed: 283 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#[cfg(test)]
77
mod tests {
88
use nitro_cli::common::commands_parser::{
9-
BuildEnclavesArgs, RunEnclavesArgs, TerminateEnclavesArgs,
9+
BuildEnclavesArgs, RunEnclavesArgs, SignEifArgs, TerminateEnclavesArgs,
1010
};
1111
use nitro_cli::common::json_output::EnclaveDescribeInfo;
1212
use nitro_cli::enclave_proc::commands::{describe_enclaves, run_enclaves, terminate_enclaves};
@@ -17,7 +17,7 @@ mod tests {
1717
use nitro_cli::utils::{Console, PcrType};
1818
use nitro_cli::{
1919
build_enclaves, build_from_docker, describe_eif, enclave_console, get_file_pcr,
20-
new_enclave_name,
20+
new_enclave_name, sign_eif,
2121
};
2222
use nitro_cli::{CID_TO_CONSOLE_PORT_OFFSET, VMADDR_CID_HYPERVISOR};
2323
use serde_json::json;
@@ -365,6 +365,59 @@ mod tests {
365365
run_describe_terminate(args);
366366
}
367367

368+
#[test]
369+
fn run_describe_terminate_separately_signed_enclave_image() {
370+
let dir = tempdir().unwrap();
371+
let dir_path = dir.path().to_str().unwrap();
372+
let eif_path = format!("{}/test.eif", dir_path);
373+
let cert_path = format!("{}/cert.pem", dir_path);
374+
let key_path = format!("{}/key.pem", dir_path);
375+
generate_signing_cert_and_key(&cert_path, &key_path);
376+
377+
setup_env();
378+
let build_args = BuildEnclavesArgs {
379+
docker_uri: SAMPLE_DOCKER.to_string(),
380+
docker_dir: None,
381+
output: eif_path,
382+
signing_certificate: None,
383+
private_key: None,
384+
img_name: None,
385+
img_version: None,
386+
metadata: None,
387+
};
388+
389+
build_from_docker(
390+
&build_args.docker_uri,
391+
&build_args.docker_dir,
392+
&build_args.output,
393+
&build_args.signing_certificate,
394+
&build_args.private_key,
395+
&build_args.img_name,
396+
&build_args.img_version,
397+
&build_args.metadata,
398+
)
399+
.expect("Docker build failed");
400+
401+
let sign_args = SignEifArgs {
402+
eif_path: build_args.output.clone(),
403+
signing_certificate: Some(cert_path),
404+
private_key: Some(key_path),
405+
};
406+
sign_eif(sign_args).expect("Sign EIF failed");
407+
408+
let args = RunEnclavesArgs {
409+
enclave_cid: None,
410+
eif_path: build_args.output,
411+
cpu_ids: None,
412+
cpu_count: Some(2),
413+
memory_mib: 256,
414+
debug_mode: true,
415+
attach_console: false,
416+
enclave_name: Some("testName".to_string()),
417+
};
418+
run_describe_terminate(args);
419+
}
420+
368421
#[test]
369422
fn run_describe_terminate_command_executer_docker_image() {
370423
let dir = tempdir().unwrap();
@@ -1029,6 +1082,121 @@ mod tests {
10291082
assert!(eif_info.sign_check.unwrap());
10301083
}
10311084

1085+
#[test]
1086+
fn build_sign_decribe_simple_eif() {
1087+
let dir = tempdir().unwrap();
1088+
let dir_path = dir.path().to_str().unwrap();
1089+
let eif_path = format!("{}/test.eif", dir_path);
1090+
let cert_path = format!("{}/cert.pem", dir_path);
1091+
let key_path = format!("{}/key.pem", dir_path);
1092+
generate_signing_cert_and_key(&cert_path, &key_path);
1093+
1094+
setup_env();
1095+
let args = BuildEnclavesArgs {
1096+
docker_uri: SAMPLE_DOCKER.to_string(),
1097+
docker_dir: None,
1098+
output: eif_path,
1099+
signing_certificate: None,
1100+
private_key: None,
1101+
img_name: None,
1102+
img_version: None,
1103+
metadata: None,
1104+
};
1105+
1106+
build_from_docker(
1107+
&args.docker_uri,
1108+
&args.docker_dir,
1109+
&args.output,
1110+
&args.signing_certificate,
1111+
&args.private_key,
1112+
&args.img_name,
1113+
&args.img_version,
1114+
&args.metadata,
1115+
)
1116+
.expect("Docker build failed");
1117+
1118+
let eif_info = describe_eif(args.output.clone()).unwrap();
1119+
1120+
assert_eq!(eif_info.version, 4);
1121+
assert!(!eif_info.is_signed);
1122+
assert!(eif_info.cert_info.is_none());
1123+
assert!(eif_info.crc_check);
1124+
assert!(eif_info.sign_check.is_none());
1125+
1126+
let sign_args = SignEifArgs {
1127+
eif_path: args.output.clone(),
1128+
signing_certificate: Some(cert_path),
1129+
private_key: Some(key_path),
1130+
};
1131+
sign_eif(sign_args).expect("Sign EIF failed");
1132+
let signed_eif_info = describe_eif(args.output).unwrap();
1133+
1134+
assert_eq!(signed_eif_info.version, 4);
1135+
assert!(signed_eif_info.is_signed);
1136+
assert!(signed_eif_info.cert_info.is_some());
1137+
assert!(signed_eif_info.crc_check);
1138+
assert!(signed_eif_info.sign_check.unwrap());
1139+
}
1140+
1141+
#[test]
1142+
fn build_describe_signed_simple_eif_with_updated_signature() {
1143+
let dir = tempdir().unwrap();
1144+
let dir_path = dir.path().to_str().unwrap();
1145+
let eif_path = format!("{}/test.eif", dir_path);
1146+
let cert_path = format!("{}/cert.pem", dir_path);
1147+
let key_path = format!("{}/key.pem", dir_path);
1148+
let cert_path2 = format!("{}/cert2.pem", dir_path);
1149+
let key_path2 = format!("{}/key2.pem", dir_path);
1150+
generate_signing_cert_and_key(&cert_path, &key_path);
1151+
generate_signing_cert_and_key(&cert_path2, &key_path2);
1152+
1153+
setup_env();
1154+
let args = BuildEnclavesArgs {
1155+
docker_uri: SAMPLE_DOCKER.to_string(),
1156+
docker_dir: None,
1157+
output: eif_path,
1158+
signing_certificate: Some(cert_path),
1159+
private_key: Some(key_path),
1160+
img_name: None,
1161+
img_version: None,
1162+
metadata: None,
1163+
};
1164+
1165+
build_from_docker(
1166+
&args.docker_uri,
1167+
&args.docker_dir,
1168+
&args.output,
1169+
&args.signing_certificate,
1170+
&args.private_key,
1171+
&args.img_name,
1172+
&args.img_version,
1173+
&args.metadata,
1174+
)
1175+
.expect("Docker build failed");
1176+
1177+
let eif_info = describe_eif(args.output.clone()).unwrap();
1178+
1179+
assert_eq!(eif_info.version, 4);
1180+
assert!(eif_info.is_signed);
1181+
assert!(eif_info.cert_info.is_some());
1182+
assert!(eif_info.crc_check);
1183+
assert!(eif_info.sign_check.unwrap());
1184+
1185+
let sign_args = SignEifArgs {
1186+
eif_path: args.output.clone(),
1187+
signing_certificate: Some(cert_path2),
1188+
private_key: Some(key_path2),
1189+
};
1190+
sign_eif(sign_args).expect("Sign EIF failed");
1191+
let signed_eif_info = describe_eif(args.output).unwrap();
1192+
1193+
assert_eq!(signed_eif_info.version, 4);
1194+
assert!(signed_eif_info.is_signed);
1195+
assert!(signed_eif_info.cert_info.is_some());
1196+
assert!(signed_eif_info.crc_check);
1197+
assert!(signed_eif_info.sign_check.unwrap());
1198+
}
1199+
10321200
#[test]
10331201
fn get_certificate_pcr() {
10341202
let dir = tempdir().unwrap();
@@ -1076,4 +1244,117 @@ mod tests {
10761244
pcr.get(&"PCR8".to_string()).unwrap(),
10771245
);
10781246
}
1247+
1248+
#[test]
1249+
fn get_certificate_pcr_after_separate_signing() {
1250+
let dir = tempdir().unwrap();
1251+
let dir_path = dir.path().to_str().unwrap();
1252+
let eif_path = format!("{}/test.eif", dir_path);
1253+
let cert_path = format!("{}/cert.pem", dir_path);
1254+
let key_path = format!("{}/key.pem", dir_path);
1255+
generate_signing_cert_and_key(&cert_path, &key_path);
1256+
1257+
setup_env();
1258+
let args = BuildEnclavesArgs {
1259+
docker_uri: SAMPLE_DOCKER.to_string(),
1260+
docker_dir: None,
1261+
output: eif_path,
1262+
signing_certificate: None,
1263+
private_key: None,
1264+
img_name: None,
1265+
img_version: None,
1266+
metadata: None,
1267+
};
1268+
1269+
build_from_docker(
1270+
&args.docker_uri,
1271+
&args.docker_dir,
1272+
&args.output,
1273+
&args.signing_certificate,
1274+
&args.private_key,
1275+
&args.img_name,
1276+
&args.img_version,
1277+
&args.metadata,
1278+
)
1279+
.expect("Docker build failed");
1280+
1281+
let sign_args = SignEifArgs {
1282+
eif_path: args.output.clone(),
1283+
signing_certificate: Some(cert_path.clone()),
1284+
private_key: Some(key_path),
1285+
};
1286+
sign_eif(sign_args).expect("Sign EIF failed");
1287+
1288+
// Describe EIF and get PCR8
1289+
let eif_info = describe_eif(args.output).unwrap();
1290+
// Hash signing certificate and verify that PCR8 is the same (identifying the certificate)
1291+
let pcr = get_file_pcr(cert_path, PcrType::SigningCertificate).unwrap();
1292+
1293+
assert_eq!(
1294+
eif_info
1295+
.build_info
1296+
.measurements
1297+
.get(&"PCR8".to_string())
1298+
.unwrap(),
1299+
pcr.get(&"PCR8".to_string()).unwrap(),
1300+
);
1301+
}
1302+
1303+
#[test]
1304+
fn get_certificate_pcr_after_signature_update() {
1305+
let dir = tempdir().unwrap();
1306+
let dir_path = dir.path().to_str().unwrap();
1307+
let eif_path = format!("{}/test.eif", dir_path);
1308+
let cert_path = format!("{}/cert.pem", dir_path);
1309+
let key_path = format!("{}/key.pem", dir_path);
1310+
let cert_path2 = format!("{}/cert2.pem", dir_path);
1311+
let key_path2 = format!("{}/key2.pem", dir_path);
1312+
generate_signing_cert_and_key(&cert_path, &key_path);
1313+
generate_signing_cert_and_key(&cert_path2, &key_path2);
1314+
1315+
setup_env();
1316+
let args = BuildEnclavesArgs {
1317+
docker_uri: SAMPLE_DOCKER.to_string(),
1318+
docker_dir: None,
1319+
output: eif_path,
1320+
signing_certificate: Some(cert_path),
1321+
private_key: Some(key_path),
1322+
img_name: None,
1323+
img_version: None,
1324+
metadata: None,
1325+
};
1326+
1327+
build_from_docker(
1328+
&args.docker_uri,
1329+
&args.docker_dir,
1330+
&args.output,
1331+
&args.signing_certificate,
1332+
&args.private_key,
1333+
&args.img_name,
1334+
&args.img_version,
1335+
&args.metadata,
1336+
)
1337+
.expect("Docker build failed");
1338+
1339+
let sign_args = SignEifArgs {
1340+
eif_path: args.output.clone(),
1341+
signing_certificate: Some(cert_path2.clone()),
1342+
private_key: Some(key_path2),
1343+
};
1344+
sign_eif(sign_args).expect("Sign EIF failed");
1345+
1346+
// Describe EIF and get PCR8
1347+
let eif_info = describe_eif(args.output).unwrap();
1348+
// Hash signing certificate and verify that PCR8 is the same (identifying the certificate)
1349+
let pcr = get_file_pcr(cert_path2, PcrType::SigningCertificate).unwrap();
1350+
1351+
assert_eq!(
1352+
eif_info
1353+
.build_info
1354+
.measurements
1355+
.get(&"PCR8".to_string())
1356+
.unwrap(),
1357+
pcr.get(&"PCR8".to_string()).unwrap(),
1358+
);
1359+
}
10791360
}

0 commit comments

Comments
 (0)