From 06144fdd865cd35e1f784aafea67f58ef05e703b Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 3 Oct 2024 13:55:49 -0500 Subject: [PATCH] tests: update e2e Makefile test We now require a keypair to sign/validate the attestation token. Add this keypair to the e2e test. Interestingly, we were using a keypair for validating the old CoCo token in this test, but only for the passport mode. Even in background check mode, this keypair is required or the token won't be validated at all. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/test/Makefile | 16 ++++++++++++++-- kbs/test/config/kbs.toml | 6 +++--- kbs/test/config/resource-kbs.toml | 4 ++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/kbs/test/Makefile b/kbs/test/Makefile index ae67f77a4..13126153a 100644 --- a/kbs/test/Makefile +++ b/kbs/test/Makefile @@ -30,6 +30,9 @@ TEE_KEY := $(WORK_DIR)/tee.key HTTPS_KEY := $(WORK_DIR)/https.key HTTPS_CERT := $(WORK_DIR)/https.crt KBS_POLICY := $(WORK_DIR)/kbs-policy.rego +AS_KEY := $(WORK_DIR)/as-key.pem +AS_PRIVATE_KEY := $(WORK_DIR)/as-private-key.pem +AS_PUBLIC_KEY := $(WORK_DIR)/as-public-key.pem SHELL := bash ifeq ($(OS),Ubuntu) @@ -141,13 +144,22 @@ $(SECRET_FILE): mkdir -p $$(dirname "$(SECRET_FILE)") && \ openssl rand 16 > "$(SECRET_FILE)" +$(AS_KEY): + openssl ecparam -name prime256v1 -genkey -noout -out "$@" + +$(AS_PRIVATE_KEY): $(AS_KEY) + openssl pkcs8 -topk8 -inform PEM -outform PEM -in "$(AS_KEY)" -nocrypt -out "$@" + +$(AS_PUBLIC_KEY): $(AS_PRIVATE_KEY) + openssl ec -in "$(AS_PRIVATE_KEY)" -pubout -out "$@" + .PHONY: start-kbs start-kbs: kbs.PID .PHONY: start-resource-kbs start-resource-kbs: resource-kbs.PID -kbs-keys: $(KBS_KEY) $(TOKEN_KEY) $(HTTPS_KEY) +kbs-keys: $(KBS_KEY) $(TOKEN_KEY) $(HTTPS_KEY) $(AS_PUBLIC_KEY) $(AS_PRIVATE_KEY) kbs-certs: $(KBS_PEM) $(TOKEN_CERT_CHAIN) $(HTTPS_CERT) @@ -159,7 +171,7 @@ kbs.PID: kbs kbs-keys kbs-certs $(SECRET_FILE) } && \ sleep 1 -resource-kbs.PID: resource-kbs $(KBS_PEM) $(CA_CERT) $(SECRET_FILE) +resource-kbs.PID: resource-kbs $(KBS_PEM) $(CA_CERT) $(SECRET_FILE) $(AS_PUBLIC_KEY) @printf "${BOLD}start resource-kbs${SGR0}\n" { \ ./resource-kbs --config-file "$(KBS_CONFIG_PATH)/resource-kbs.toml" \ diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index 0f08b733f..ba45b75dc 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -5,7 +5,8 @@ private_key = "./work/https.key" certificate = "./work/https.crt" [attestation_token_config] -attestation_token_type = "CoCo" +attestation_token_type = "Ear" +trusted_certs_paths = ["./work/as-public-key.pem"] [repository_config] type = "LocalFs" @@ -14,13 +15,12 @@ dir_path = "./work/repository" [as_config] work_dir = "./work/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" [as_config.attestation_token_config] duration_min = 5 [as_config.attestation_token_config.signer] -key_path = "./work/token.key" +key_path = "./work/as-private-key.pem" cert_path = "./work/token-cert-chain.pem" [as_config.rvps_config] diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 5c14ab519..876874f58 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -3,8 +3,8 @@ auth_public_key = "./work/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" -trusted_certs_paths = ["./work/ca-cert.pem"] +attestation_token_type = "Ear" +trusted_certs_paths = ["./work/as-public-key.pem"] [repository_config] type = "LocalFs"