From e3cdccfa1997c9b07f0d5c23a16777f5c28df379 Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Thu, 25 Aug 2022 11:20:44 +0000 Subject: [PATCH 01/11] Implement command 'sign-eif' --- src/common/commands_parser.rs | 155 ++++++++++++++++++++++++++++++++++ src/enclave_proc/commands.rs | 14 +-- src/lib.rs | 105 ++++++++++++++++++++++- src/main.rs | 34 ++++++-- 4 files changed, 290 insertions(+), 18 deletions(-) diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs index aa60f05c..e56e96b4 100644 --- a/src/common/commands_parser.rs +++ b/src/common/commands_parser.rs @@ -36,6 +36,10 @@ pub struct RunEnclavesArgs { pub cpu_count: Option, /// Enclave name set by the user. pub enclave_name: Option, + /// The region in which the KMS key resides. + pub region: Option, + /// The KMS key id. + pub key_id: Option, } impl RunEnclavesArgs { @@ -89,6 +93,8 @@ impl RunEnclavesArgs { attach_console: attach_console(args), enclave_name: parse_enclave_name(args) .map_err(|err| err.add_subaction("Parse enclave name".to_string()))?, + region: parse_region(args), + key_id: parse_key_id(args), }) } } @@ -279,6 +285,137 @@ impl PcrArgs { } } +/// The arguments used by `sign-eif` command +#[derive(Debug, Clone)] +pub struct SignArgs { + /// The method used for signing the EIF + pub signing_method: String, + /// The path to the enclave image file. + pub eif_path: String, + /// The path to the signing certificate. + pub signing_certificate: String, + /// The path to the private key. + pub private_key: Option, + /// The region in which the KMS key resides. + pub region: Option, + /// The KMS key id. + pub key_id: Option, +} + +impl SignArgs { + /// Construct a new `SignArg` instance from the given command-line arguments. + pub fn new_with(args: &ArgMatches) -> NitroCliResult { + let signing_method = parse_signing_method(args) + .map_err(|err| err.add_subaction("Parse signing method".to_string()))?; + let private_key = parse_private_key(args); + let region = parse_region(args); + let key_id = parse_key_id(args); + + match signing_method.as_str() { + "PrivateKey" => { + if private_key.is_none() { + return Err(new_nitro_cli_failure!( + "`private-key` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["private-key"])); + } + } + "KMS" => match (®ion, &key_id) { + (Some(_), None) => { + return Err(new_nitro_cli_failure!( + "`key-id` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["key-id"])) + } + (None, Some(_)) => { + return Err(new_nitro_cli_failure!( + "`region` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["region"])) + } + (None, None) => { + return Err(new_nitro_cli_failure!( + "`region` and `key-id` arguments not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["region and key-id"])) + } + _ => (), + }, + _ => { + return Err(new_nitro_cli_failure!( + "`signing-method` value is not valid", + NitroCliErrorEnum::InvalidArgument + ) + .add_info(vec!["signing-method"])) + } + }; + + Ok(SignArgs { + signing_method, + eif_path: parse_eif_path(args) + .map_err(|err| err.add_subaction("Parse EIF path".to_string()))?, + signing_certificate: parse_signing_certificate(args).ok_or_else(|| { + new_nitro_cli_failure!( + "`signing_certificate` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["signing_certificate"]) + })?, + private_key, + region, + key_id, + }) + } +} + +/// The arguments used by `describe-eif` command +#[derive(Debug, Clone)] +pub struct DescribeArgs { + /// The path to the enclave image file. + pub eif_path: String, + /// The region in which the KMS key resides. + pub region: Option, + /// The KMS key id. + pub key_id: Option, +} + +impl DescribeArgs { + /// Construct a new `DescribeArgs` instance from the given command-line arguments. + pub fn new_with(args: &ArgMatches) -> NitroCliResult { + let region = parse_region(args); + let key_id = parse_key_id(args); + + match (®ion, &key_id) { + (Some(_), None) => { + return Err(new_nitro_cli_failure!( + "`key-id` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["key-id"])) + } + (None, Some(_)) => { + return Err(new_nitro_cli_failure!( + "`region` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["region"])) + } + _ => (), + }; + + Ok(DescribeArgs { + eif_path: parse_eif_path(args) + .map_err(|err| err.add_subaction("Parse EIF path".to_string()))?, + region, + key_id, + }) + } +} + /// Parse file path to hash from the command-line arguments. fn parse_file_path(args: &ArgMatches, val_name: &str) -> NitroCliResult { let path = args.value_of(val_name).ok_or_else(|| { @@ -518,6 +655,24 @@ fn parse_error_code_str(args: &ArgMatches) -> NitroCliResult { Ok(error_code_str.to_string()) } +fn parse_signing_method(args: &ArgMatches) -> NitroCliResult { + let signing_method = args.value_of("signing-method").ok_or_else(|| { + new_nitro_cli_failure!( + "`signing-method` argument not found", + NitroCliErrorEnum::MissingArgument + ) + })?; + Ok(signing_method.to_string()) +} + +fn parse_region(args: &ArgMatches) -> Option { + args.value_of("region").map(|val| val.to_string()) +} + +fn parse_key_id(args: &ArgMatches) -> Option { + args.value_of("key-id").map(|val| val.to_string()) +} + #[cfg(test)] mod tests { use super::*; diff --git a/src/enclave_proc/commands.rs b/src/enclave_proc/commands.rs index 30c23b41..7a58fb42 100644 --- a/src/enclave_proc/commands.rs +++ b/src/enclave_proc/commands.rs @@ -93,12 +93,14 @@ pub fn run_enclaves( // Verify the certificate only if signature section exists if !signature_checker.is_empty() { - signature_checker.verify().map_err(|e| { - new_nitro_cli_failure!( - &format!("Invalid signing certificate: {:?}", e), - NitroCliErrorEnum::EIFSignatureCheckerError - ) - })?; + signature_checker + .verify(args.region.as_ref(), args.key_id.as_ref()) + .map_err(|e| { + new_nitro_cli_failure!( + &format!("Invalid signing certificate: {:?}", e), + NitroCliErrorEnum::EIFSignatureCheckerError + ) + })?; } // Launch parallel computing of PCRs diff --git a/src/lib.rs b/src/lib.rs index 169e64b0..f99e4644 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -17,6 +17,7 @@ pub mod utils; use aws_nitro_enclaves_image_format::defs::eif_hasher::EifHasher; use aws_nitro_enclaves_image_format::utils::eif_reader::EifReader; +use aws_nitro_enclaves_image_format::utils::eif_signer::EifSigner; use aws_nitro_enclaves_image_format::{generate_build_info, utils::get_pcrs}; use log::{debug, info}; use sha2::{Digest, Sha384}; @@ -27,7 +28,9 @@ use std::io::{self, Read, Write}; use std::os::unix::net::UnixStream; use std::path::PathBuf; -use common::commands_parser::{BuildEnclavesArgs, EmptyArgs, RunEnclavesArgs}; +use common::commands_parser::{ + BuildEnclavesArgs, DescribeArgs, EmptyArgs, RunEnclavesArgs, SignArgs, +}; use common::json_output::{ EifDescribeInfo, EnclaveBuildInfo, EnclaveTerminateInfo, MetadataDescribeInfo, }; @@ -66,6 +69,28 @@ pub fn build_enclaves(args: BuildEnclavesArgs) -> NitroCliResult<()> { Ok(()) } +/// Sign an existing EIF file +pub fn sign_eif_file(args: SignArgs) -> NitroCliResult<()> { + debug!("sign_eif_file"); + eprintln!("Start signing the Enclave Image..."); + let mut signer = EifSigner::new( + args.eif_path, + args.signing_method, + args.signing_certificate, + args.private_key, + args.region, + args.key_id, + ) + .map_err(|e| { + new_nitro_cli_failure!( + &format!("Failed to initialize EIF signer: {:?}", e), + NitroCliErrorEnum::EifParsingError + ) + })?; + signer.sign_image().expect("Failed signing"); + Ok(()) +} + /// Build an enclave image file from a Docker image. pub fn build_from_docker( docker_uri: &str, @@ -218,8 +243,8 @@ pub fn new_enclave_name(run_args: RunEnclavesArgs, names: Vec) -> NitroC /// /// Calculates PCRs 0, 1, 2, 8 at each call in addition to metadata, /// EIF details, identification provided by the user at build. -pub fn describe_eif(eif_path: String) -> NitroCliResult { - let mut eif_reader = EifReader::from_eif(eif_path).map_err(|e| { +pub fn describe_eif(desc_args: DescribeArgs) -> NitroCliResult { + let mut eif_reader = EifReader::from_eif(desc_args.eif_path).map_err(|e| { new_nitro_cli_failure!( &format!("Failed to initialize EIF reader: {:?}", e), NitroCliErrorEnum::EifParsingError @@ -265,7 +290,7 @@ pub fn describe_eif(eif_path: String) -> NitroCliResult { // Check if signature section is present if measurements.get(&"PCR8".to_string()).is_some() { let cert_info = eif_reader - .get_certificate_info(measurements) + .get_certificate_info(measurements, desc_args.region, desc_args.key_id) .map_err(|err| { new_nitro_cli_failure!( &format!("Failed to get certificate sigining info: {:?}", err), @@ -661,6 +686,22 @@ macro_rules! create_app { .required(false) .conflicts_with("config"), ) + .arg( + Arg::with_name("region") + .long("region") + .takes_value(true) + .help("The region in which the KMS key resides.") + .required(false) + .conflicts_with("config"), + ) + .arg( + Arg::with_name("key-id") + .long("key-id") + .takes_value(true) + .help("The KMS key id.") + .required(false) + .conflicts_with("config"), + ) .arg( Arg::with_name("config") .long("config") @@ -770,6 +811,18 @@ macro_rules! create_app { .help("Path to the EIF to describe.") .required(true) .takes_value(true), + ) + .arg( + Arg::with_name("region") + .long("region") + .help("The region in which the KMS key resides.") + .takes_value(true), + ) + .arg( + Arg::with_name("key-id") + .long("key-id") + .help("The KMS key id.") + .takes_value(true), ), ) .subcommand( @@ -839,5 +892,49 @@ macro_rules! create_app { .required(true), ), ) + .subcommand( + SubCommand::with_name("sign-eif") + .about("Sign an existing enclave image") + .arg( + Arg::with_name("signing-method") + .long("signing-method") + .takes_value(true) + .help("Specify the method that will be used to sign the image: PrivateKey or KMS.") + .required(true), + ) + .arg( + Arg::with_name("eif-path") + .long("eif-path") + .takes_value(true) + .help("Path to the enclave image file.") + .required(true), + ) + .arg( + Arg::with_name("signing-certificate") + .long("signing-certificate") + .takes_value(true) + .takes_value(true) + .help("Local path to developer's X509 signing certificate.") + .required(true), + ) + .arg( + Arg::with_name("private-key") + .long("private-key") + .help("Local path to developer's Eliptic Curve private key.") + .takes_value(true), + ) + .arg( + Arg::with_name("region") + .long("region") + .help("The region in which the KMS key resides.") + .takes_value(true), + ) + .arg( + Arg::with_name("key-id") + .long("key-id") + .help("The KMS key id") + .takes_value(true), + ), + ) }; } diff --git a/src/main.rs b/src/main.rs index 3c46d6b4..59188430 100644 --- a/src/main.rs +++ b/src/main.rs @@ -13,8 +13,8 @@ use log::info; use std::os::unix::net::UnixStream; use nitro_cli::common::commands_parser::{ - BuildEnclavesArgs, ConsoleArgs, DescribeEnclavesArgs, EmptyArgs, ExplainArgs, PcrArgs, - RunEnclavesArgs, TerminateEnclavesArgs, + BuildEnclavesArgs, ConsoleArgs, DescribeArgs, DescribeEnclavesArgs, EmptyArgs, ExplainArgs, + PcrArgs, RunEnclavesArgs, SignArgs, TerminateEnclavesArgs, }; use nitro_cli::common::document_errors::explain_error; use nitro_cli::common::json_output::{EnclaveDescribeInfo, EnclaveRunInfo, EnclaveTerminateInfo}; @@ -29,7 +29,7 @@ use nitro_cli::enclave_proc_comm::{ }; use nitro_cli::{ build_enclaves, console_enclaves, create_app, describe_eif, get_all_enclave_names, - get_file_pcr, new_enclave_name, new_nitro_cli_failure, terminate_all_enclaves, + get_file_pcr, new_enclave_name, new_nitro_cli_failure, sign_eif_file, terminate_all_enclaves, }; const RUN_ENCLAVE_STR: &str = "Run Enclave"; @@ -42,6 +42,7 @@ const ENCLAVE_CONSOLE_STR: &str = "Enclave Console"; const EXPLAIN_ERR_STR: &str = "Explain Error"; const NEW_NAME_STR: &str = "New Enclave Name"; const FILE_PCR_STR: &str = "File PCR"; +const SIGN_EIF_STR: &str = "Sign EIF"; /// *Nitro CLI* application entry point. fn main() { @@ -228,11 +229,13 @@ fn main() { .ok_or_exit_with_errno(None); } Some(("describe-eif", args)) => { - let eif_path = args - .value_of("eif-path") - .map(|val| val.to_string()) - .unwrap(); - describe_eif(eif_path) + let describe_args = DescribeArgs::new_with(args) + .map_err(|e| { + e.add_subaction("Failed to construct describe arguments".to_string()) + .set_action(FILE_PCR_STR.to_string()) + }) + .ok_or_exit_with_errno(None); + describe_eif(describe_args) .map_err(|e| { e.add_subaction("Failed to describe EIF".to_string()) .set_action(DESCRIBE_EIF_STR.to_string()) @@ -301,6 +304,21 @@ fn main() { .ok_or_exit_with_errno(None); explain_error(explain_args.error_code_str); } + Some(("sign-eif", args)) => { + let sign_args = SignArgs::new_with(args) + .map_err(|e| { + e.add_subaction("Failed to construct Sign arguments".to_string()) + .set_action(SIGN_EIF_STR.to_string()) + }) + .ok_or_exit_with_errno(None); + + sign_eif_file(sign_args) + .map_err(|e| { + e.add_subaction("Failed to sign EIF file".to_string()) + .set_action(SIGN_EIF_STR.to_string()) + }) + .ok_or_exit_with_errno(None); + } Some((&_, _)) | None => (), } } From b8becd033e3d95874c30809ba7f50c81074c9ac9 Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Tue, 30 Aug 2022 12:16:11 +0000 Subject: [PATCH 02/11] Use enum for signing_key --- src/common/commands_parser.rs | 72 +++++++++++++++++++---------------- src/lib.rs | 21 ++++------ 2 files changed, 46 insertions(+), 47 deletions(-) diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs index e56e96b4..185639e3 100644 --- a/src/common/commands_parser.rs +++ b/src/common/commands_parser.rs @@ -3,6 +3,7 @@ #![deny(missing_docs)] #![deny(warnings)] +use aws_nitro_enclaves_image_format::utils::eif_signer::SigningKey; use clap::ArgMatches; use libc::VMADDR_CID_HOST; #[cfg(test)] @@ -294,12 +295,8 @@ pub struct SignArgs { pub eif_path: String, /// The path to the signing certificate. pub signing_certificate: String, - /// The path to the private key. - pub private_key: Option, - /// The region in which the KMS key resides. - pub region: Option, - /// The KMS key id. - pub key_id: Option, + /// The key used for signing the EIF + pub signing_key: SigningKey, } impl SignArgs { @@ -310,6 +307,7 @@ impl SignArgs { let private_key = parse_private_key(args); let region = parse_region(args); let key_id = parse_key_id(args); + let signing_key; match signing_method.as_str() { "PrivateKey" => { @@ -320,31 +318,41 @@ impl SignArgs { ) .add_info(vec!["private-key"])); } + signing_key = SigningKey::LocalKey { + path: private_key.unwrap(), + }; + } + "KMS" => { + match (®ion, &key_id) { + (Some(_), None) => { + return Err(new_nitro_cli_failure!( + "`key-id` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["key-id"])) + } + (None, Some(_)) => { + return Err(new_nitro_cli_failure!( + "`region` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["region"])) + } + (None, None) => { + return Err(new_nitro_cli_failure!( + "`region` and `key-id` arguments not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["region and key-id"])) + } + _ => (), + }; + + signing_key = SigningKey::KmsKey { + key_id: key_id.unwrap(), + region: region.unwrap(), + }; } - "KMS" => match (®ion, &key_id) { - (Some(_), None) => { - return Err(new_nitro_cli_failure!( - "`key-id` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["key-id"])) - } - (None, Some(_)) => { - return Err(new_nitro_cli_failure!( - "`region` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["region"])) - } - (None, None) => { - return Err(new_nitro_cli_failure!( - "`region` and `key-id` arguments not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["region and key-id"])) - } - _ => (), - }, _ => { return Err(new_nitro_cli_failure!( "`signing-method` value is not valid", @@ -365,9 +373,7 @@ impl SignArgs { ) .add_info(vec!["signing_certificate"]) })?, - private_key, - region, - key_id, + signing_key, }) } } diff --git a/src/lib.rs b/src/lib.rs index f99e4644..27637e87 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -73,20 +73,13 @@ pub fn build_enclaves(args: BuildEnclavesArgs) -> NitroCliResult<()> { pub fn sign_eif_file(args: SignArgs) -> NitroCliResult<()> { debug!("sign_eif_file"); eprintln!("Start signing the Enclave Image..."); - let mut signer = EifSigner::new( - args.eif_path, - args.signing_method, - args.signing_certificate, - args.private_key, - args.region, - args.key_id, - ) - .map_err(|e| { - new_nitro_cli_failure!( - &format!("Failed to initialize EIF signer: {:?}", e), - NitroCliErrorEnum::EifParsingError - ) - })?; + let mut signer = EifSigner::new(args.eif_path, args.signing_certificate, args.signing_key) + .map_err(|e| { + new_nitro_cli_failure!( + &format!("Failed to initialize EIF signer: {:?}", e), + NitroCliErrorEnum::EifParsingError + ) + })?; signer.sign_image().expect("Failed signing"); Ok(()) } From fb2b2771d74bb6ab563851e7e6c3a74ae665da6e Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Mon, 26 Sep 2022 11:11:04 +0000 Subject: [PATCH 03/11] Refactor sign-eif arguments --- src/common/commands_parser.rs | 115 ++++++++++++---------------------- src/enclave_proc/commands.rs | 2 +- src/lib.rs | 30 ++++----- 3 files changed, 54 insertions(+), 93 deletions(-) diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs index 185639e3..0c81b92e 100644 --- a/src/common/commands_parser.rs +++ b/src/common/commands_parser.rs @@ -38,9 +38,9 @@ pub struct RunEnclavesArgs { /// Enclave name set by the user. pub enclave_name: Option, /// The region in which the KMS key resides. - pub region: Option, + pub kms_key_region: Option, /// The KMS key id. - pub key_id: Option, + pub kms_key_arn: Option, } impl RunEnclavesArgs { @@ -94,8 +94,8 @@ impl RunEnclavesArgs { attach_console: attach_console(args), enclave_name: parse_enclave_name(args) .map_err(|err| err.add_subaction("Parse enclave name".to_string()))?, - region: parse_region(args), - key_id: parse_key_id(args), + kms_key_region: parse_kms_key_region(args), + kms_key_arn: parse_kms_key_arn(args), }) } } @@ -302,68 +302,43 @@ pub struct SignArgs { impl SignArgs { /// Construct a new `SignArg` instance from the given command-line arguments. pub fn new_with(args: &ArgMatches) -> NitroCliResult { - let signing_method = parse_signing_method(args) - .map_err(|err| err.add_subaction("Parse signing method".to_string()))?; let private_key = parse_private_key(args); - let region = parse_region(args); - let key_id = parse_key_id(args); + let kms_key_region = parse_kms_key_region(args); + let kms_key_arn = parse_kms_key_arn(args); let signing_key; + let signing_method; - match signing_method.as_str() { - "PrivateKey" => { - if private_key.is_none() { - return Err(new_nitro_cli_failure!( - "`private-key` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["private-key"])); - } + match (&private_key, &kms_key_arn) { + (Some(_), None) => { signing_key = SigningKey::LocalKey { path: private_key.unwrap(), }; + signing_method = "PrivateKey"; } - "KMS" => { - match (®ion, &key_id) { - (Some(_), None) => { - return Err(new_nitro_cli_failure!( - "`key-id` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["key-id"])) - } - (None, Some(_)) => { - return Err(new_nitro_cli_failure!( - "`region` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["region"])) - } - (None, None) => { - return Err(new_nitro_cli_failure!( - "`region` and `key-id` arguments not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["region and key-id"])) - } - _ => (), - }; - + (None, Some(_)) => { + if kms_key_region.is_none() { + return Err(new_nitro_cli_failure!( + "`kms-key-region` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["kms-key-region"])) + } signing_key = SigningKey::KmsKey { - key_id: key_id.unwrap(), - region: region.unwrap(), + arn: kms_key_arn.unwrap(), + region: kms_key_region.unwrap(), }; + signing_method = "KMS"; } _ => { return Err(new_nitro_cli_failure!( - "`signing-method` value is not valid", - NitroCliErrorEnum::InvalidArgument - ) - .add_info(vec!["signing-method"])) + "Missing one of: `private-key` or `kms-key-arn`", + NitroCliErrorEnum::MissingArgument + )); } }; Ok(SignArgs { - signing_method, + signing_method: signing_method.to_string(), eif_path: parse_eif_path(args) .map_err(|err| err.add_subaction("Parse EIF path".to_string()))?, signing_certificate: parse_signing_certificate(args).ok_or_else(|| { @@ -384,31 +359,31 @@ pub struct DescribeArgs { /// The path to the enclave image file. pub eif_path: String, /// The region in which the KMS key resides. - pub region: Option, + pub kms_key_region: Option, /// The KMS key id. - pub key_id: Option, + pub kms_key_arn: Option, } impl DescribeArgs { /// Construct a new `DescribeArgs` instance from the given command-line arguments. pub fn new_with(args: &ArgMatches) -> NitroCliResult { - let region = parse_region(args); - let key_id = parse_key_id(args); + let kms_key_region = parse_kms_key_region(args); + let kms_key_arn = parse_kms_key_arn(args); - match (®ion, &key_id) { + match (&kms_key_region, &kms_key_arn) { (Some(_), None) => { return Err(new_nitro_cli_failure!( - "`key-id` argument not found", + "`kms-key-arn` argument not found", NitroCliErrorEnum::MissingArgument ) - .add_info(vec!["key-id"])) + .add_info(vec!["kms-key-arn"])) } (None, Some(_)) => { return Err(new_nitro_cli_failure!( - "`region` argument not found", + "`kms-key-region` argument not found", NitroCliErrorEnum::MissingArgument ) - .add_info(vec!["region"])) + .add_info(vec!["kms-key-region"])) } _ => (), }; @@ -416,8 +391,8 @@ impl DescribeArgs { Ok(DescribeArgs { eif_path: parse_eif_path(args) .map_err(|err| err.add_subaction("Parse EIF path".to_string()))?, - region, - key_id, + kms_key_region, + kms_key_arn, }) } } @@ -661,22 +636,12 @@ fn parse_error_code_str(args: &ArgMatches) -> NitroCliResult { Ok(error_code_str.to_string()) } -fn parse_signing_method(args: &ArgMatches) -> NitroCliResult { - let signing_method = args.value_of("signing-method").ok_or_else(|| { - new_nitro_cli_failure!( - "`signing-method` argument not found", - NitroCliErrorEnum::MissingArgument - ) - })?; - Ok(signing_method.to_string()) -} - -fn parse_region(args: &ArgMatches) -> Option { - args.value_of("region").map(|val| val.to_string()) +fn parse_kms_key_region(args: &ArgMatches) -> Option { + args.value_of("kms-key-region").map(|val| val.to_string()) } -fn parse_key_id(args: &ArgMatches) -> Option { - args.value_of("key-id").map(|val| val.to_string()) +fn parse_kms_key_arn(args: &ArgMatches) -> Option { + args.value_of("kms-key-arn").map(|val| val.to_string()) } #[cfg(test)] diff --git a/src/enclave_proc/commands.rs b/src/enclave_proc/commands.rs index 7a58fb42..520befed 100644 --- a/src/enclave_proc/commands.rs +++ b/src/enclave_proc/commands.rs @@ -94,7 +94,7 @@ pub fn run_enclaves( // Verify the certificate only if signature section exists if !signature_checker.is_empty() { signature_checker - .verify(args.region.as_ref(), args.key_id.as_ref()) + .verify(args.kms_key_region.as_ref(), args.kms_key_arn.as_ref()) .map_err(|e| { new_nitro_cli_failure!( &format!("Invalid signing certificate: {:?}", e), diff --git a/src/lib.rs b/src/lib.rs index 27637e87..da4a976a 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -283,7 +283,7 @@ pub fn describe_eif(desc_args: DescribeArgs) -> NitroCliResult // Check if signature section is present if measurements.get(&"PCR8".to_string()).is_some() { let cert_info = eif_reader - .get_certificate_info(measurements, desc_args.region, desc_args.key_id) + .get_certificate_info(measurements, desc_args.kms_key_region, desc_args.kms_key_arn) .map_err(|err| { new_nitro_cli_failure!( &format!("Failed to get certificate sigining info: {:?}", err), @@ -888,13 +888,6 @@ macro_rules! create_app { .subcommand( SubCommand::with_name("sign-eif") .about("Sign an existing enclave image") - .arg( - Arg::with_name("signing-method") - .long("signing-method") - .takes_value(true) - .help("Specify the method that will be used to sign the image: PrivateKey or KMS.") - .required(true), - ) .arg( Arg::with_name("eif-path") .long("eif-path") @@ -906,7 +899,6 @@ macro_rules! create_app { Arg::with_name("signing-certificate") .long("signing-certificate") .takes_value(true) - .takes_value(true) .help("Local path to developer's X509 signing certificate.") .required(true), ) @@ -914,19 +906,23 @@ macro_rules! create_app { Arg::with_name("private-key") .long("private-key") .help("Local path to developer's Eliptic Curve private key.") - .takes_value(true), + .takes_value(true) + .conflicts_with("kms-key-arn") + .conflicts_with("kms-key-region"), ) .arg( - Arg::with_name("region") - .long("region") + Arg::with_name("kms-key-region") + .long("kms-key-region") .help("The region in which the KMS key resides.") - .takes_value(true), + .takes_value(true) + .conflicts_with("private-key"), ) .arg( - Arg::with_name("key-id") - .long("key-id") - .help("The KMS key id") - .takes_value(true), + Arg::with_name("kms-key-arn") + .long("kms-key-arn") + .help("The KMS key ARN") + .takes_value(true) + .conflicts_with("private-key"), ), ) }; From a44bd21b70271b3b6f3e2cb74912dbdddd035728 Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Mon, 26 Sep 2022 15:10:52 +0000 Subject: [PATCH 04/11] Add KMS signing option for build-enclave --- enclave_build/src/lib.rs | 11 ++++--- enclave_build/src/main.rs | 10 ++++-- src/common/commands_parser.rs | 37 ++++++++++++++++----- src/lib.rs | 61 +++++++++++++++++++++++------------ 4 files changed, 83 insertions(+), 36 deletions(-) diff --git a/enclave_build/src/lib.rs b/enclave_build/src/lib.rs index d8d41a19..cbf440b5 100644 --- a/enclave_build/src/lib.rs +++ b/enclave_build/src/lib.rs @@ -10,6 +10,7 @@ mod docker; mod yaml_generator; use aws_nitro_enclaves_image_format::defs::{EifBuildInfo, EifIdentityInfo, EIF_HDR_ARCH_ARM64}; +use aws_nitro_enclaves_image_format::utils::eif_signer::SigningKey; use aws_nitro_enclaves_image_format::utils::identity::parse_custom_metadata; use aws_nitro_enclaves_image_format::utils::{EifBuilder, SignEnclaveInfo}; use docker::DockerUtil; @@ -68,7 +69,7 @@ impl<'a> Docker2Eif<'a> { output: &'a mut File, artifacts_prefix: String, certificate_path: &Option, - key_path: &Option, + signing_key: &Option, img_name: Option, img_version: Option, metadata_path: Option, @@ -94,11 +95,11 @@ impl<'a> Docker2Eif<'a> { } } - let sign_info = match (certificate_path, key_path) { + let sign_info = match (certificate_path, signing_key) { (None, None) => None, - (Some(cert_path), Some(key_path)) => Some( - SignEnclaveInfo::new(cert_path, key_path) - .map_err(|err| Docker2EifError::SignImageError(format!("{err:?}")))?, + (Some(cert_path), Some(signing_key)) => Some( + SignEnclaveInfo::new(cert_path, signing_key) + .map_err(|err| Docker2EifError::SignImageError(format!("{:?}", err)))?, ), _ => return Err(Docker2EifError::SignArgsError), }; diff --git a/enclave_build/src/main.rs b/enclave_build/src/main.rs index 52af2265..cc7f3922 100644 --- a/enclave_build/src/main.rs +++ b/enclave_build/src/main.rs @@ -5,6 +5,7 @@ use clap::{App, AppSettings, Arg}; use std::fs::OpenOptions; use aws_nitro_enclaves_image_format::generate_build_info; +use aws_nitro_enclaves_image_format::utils::eif_signer::SigningKey; use enclave_build::Docker2Eif; fn main() { @@ -133,9 +134,12 @@ fn main() { let signing_certificate = matches .value_of("signing_certificate") .map(|val| val.to_string()); - let private_key = matches - .value_of("private_certificate") - .map(|val| val.to_string()); + let private_key = Some(SigningKey::LocalKey { + path: matches + .value_of("private_certificate") + .map(|val| val.to_string()) + .unwrap(), + }); let img_name = matches.value_of("image_name").map(|val| val.to_string()); let img_version = matches.value_of("image_version").map(|val| val.to_string()); let metadata = matches.value_of("metadata").map(|val| val.to_string()); diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs index 0c81b92e..27ef5c3d 100644 --- a/src/common/commands_parser.rs +++ b/src/common/commands_parser.rs @@ -112,8 +112,8 @@ pub struct BuildEnclavesArgs { pub output: String, /// The path to the signing certificate for signed enclaves. pub signing_certificate: Option, - /// The path to the private key for signed enclaves. - pub private_key: Option, + /// The key used for signing the EIF + pub signing_key: Option, /// The name of the enclave image. pub img_name: Option, /// The version of the enclave image. @@ -127,14 +127,35 @@ impl BuildEnclavesArgs { pub fn new_with(args: &ArgMatches) -> NitroCliResult { let signing_certificate = parse_signing_certificate(args); let private_key = parse_private_key(args); + let kms_key_region = parse_kms_key_region(args); + let kms_key_arn = parse_kms_key_arn(args); + + let signing_key = match (&private_key, &kms_key_arn) { + (Some(_), None) => Some(SigningKey::LocalKey { + path: private_key.unwrap(), + }), + (None, Some(_)) => { + if kms_key_region.is_none() { + return Err(new_nitro_cli_failure!( + "`kms-key-region` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["kms-key-region"])); + } + Some(SigningKey::KmsKey { + arn: kms_key_arn.unwrap(), + region: kms_key_region.unwrap(), + }) + } + _ => None, + }; - match (&signing_certificate, &private_key) { + match (&signing_certificate, &signing_key) { (Some(_), None) => { return Err(new_nitro_cli_failure!( - "`private-key` argument not found", + "`private-key` or `kms-key-arn` argument not found", NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["private-key"])) + )) } (None, Some(_)) => { return Err(new_nitro_cli_failure!( @@ -163,7 +184,7 @@ impl BuildEnclavesArgs { .add_info(vec!["output"]) })?, signing_certificate, - private_key, + signing_key, img_name: parse_image_name(args), img_version: parse_image_version(args), metadata: parse_metadata(args), @@ -321,7 +342,7 @@ impl SignArgs { "`kms-key-region` argument not found", NitroCliErrorEnum::MissingArgument ) - .add_info(vec!["kms-key-region"])) + .add_info(vec!["kms-key-region"])); } signing_key = SigningKey::KmsKey { arn: kms_key_arn.unwrap(), diff --git a/src/lib.rs b/src/lib.rs index da4a976a..fc9b9518 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -18,6 +18,7 @@ pub mod utils; use aws_nitro_enclaves_image_format::defs::eif_hasher::EifHasher; use aws_nitro_enclaves_image_format::utils::eif_reader::EifReader; use aws_nitro_enclaves_image_format::utils::eif_signer::EifSigner; +use aws_nitro_enclaves_image_format::utils::eif_signer::SigningKey; use aws_nitro_enclaves_image_format::{generate_build_info, utils::get_pcrs}; use log::{debug, info}; use sha2::{Digest, Sha384}; @@ -60,7 +61,7 @@ pub fn build_enclaves(args: BuildEnclavesArgs) -> NitroCliResult<()> { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -90,7 +91,7 @@ pub fn build_from_docker( docker_dir: &Option, output_path: &str, signing_certificate: &Option, - private_key: &Option, + signing_key: &Option, img_name: &Option, img_version: &Option, metadata_path: &Option, @@ -153,7 +154,7 @@ pub fn build_from_docker( &mut file_output, artifacts_path()?, signing_certificate, - private_key, + signing_key, img_name.clone(), img_version.clone(), metadata_path.clone(), @@ -283,7 +284,11 @@ pub fn describe_eif(desc_args: DescribeArgs) -> NitroCliResult // Check if signature section is present if measurements.get(&"PCR8".to_string()).is_some() { let cert_info = eif_reader - .get_certificate_info(measurements, desc_args.kms_key_region, desc_args.kms_key_arn) + .get_certificate_info( + measurements, + desc_args.kms_key_region, + desc_args.kms_key_arn, + ) .map_err(|err| { new_nitro_cli_failure!( &format!("Failed to get certificate sigining info: {:?}", err), @@ -680,18 +685,18 @@ macro_rules! create_app { .conflicts_with("config"), ) .arg( - Arg::with_name("region") - .long("region") + Arg::with_name("kms-key-region") + .long("kms-key-region") .takes_value(true) .help("The region in which the KMS key resides.") .required(false) .conflicts_with("config"), ) .arg( - Arg::with_name("key-id") - .long("key-id") + Arg::with_name("kms-key-arn") + .long("kms-key-arn") .takes_value(true) - .help("The KMS key id.") + .help("The KMS key ARN.") .required(false) .conflicts_with("config"), ) @@ -770,12 +775,6 @@ macro_rules! create_app { .help("Local path to developer's X509 signing certificate.") .takes_value(true), ) - .arg( - Arg::with_name("private-key") - .long("private-key") - .help("Local path to developer's Eliptic Curve private key.") - .takes_value(true), - ) .arg( Arg::with_name("image_name") .long("name") @@ -793,6 +792,28 @@ macro_rules! create_app { .long("metadata") .help("Path to JSON containing the custom metadata provided by the user.") .takes_value(true), + ) + .arg( + Arg::with_name("private-key") + .long("private-key") + .help("Local path to developer's Eliptic Curve private key.") + .takes_value(true) + .conflicts_with("kms-key-arn") + .conflicts_with("kms-key-region"), + ) + .arg( + Arg::with_name("kms-key-region") + .long("kms-key-region") + .help("The region in which the KMS key resides.") + .takes_value(true) + .conflicts_with("private-key"), + ) + .arg( + Arg::with_name("kms-key-arn") + .long("kms-key-arn") + .help("The KMS key ARN") + .takes_value(true) + .conflicts_with("private-key"), ), ) .subcommand( @@ -806,15 +827,15 @@ macro_rules! create_app { .takes_value(true), ) .arg( - Arg::with_name("region") - .long("region") + Arg::with_name("kms-key-region") + .long("kms-key-region") .help("The region in which the KMS key resides.") .takes_value(true), ) .arg( - Arg::with_name("key-id") - .long("key-id") - .help("The KMS key id.") + Arg::with_name("kms-key-arn") + .long("kms-key-arn") + .help("The KMS key ARN.") .takes_value(true), ), ) From 55fec7874e90278bd9283de7e4c8f40c0d92f68a Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Tue, 27 Sep 2022 14:57:35 +0000 Subject: [PATCH 05/11] Update build-enclave tests --- tests/tests.rs | 67 +++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/tests/tests.rs b/tests/tests.rs index 2c129a1d..0bab7dcd 100644 --- a/tests/tests.rs +++ b/tests/tests.rs @@ -20,6 +20,7 @@ mod tests { new_enclave_name, }; use nitro_cli::{CID_TO_CONSOLE_PORT_OFFSET, VMADDR_CID_HYPERVISOR}; + use aws_nitro_enclaves_image_format::utils::eif_signer::SigningKey; use serde_json::json; use std::convert::TryInto; use std::fs::{File, OpenOptions}; @@ -80,7 +81,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -99,7 +100,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -110,7 +111,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -141,7 +142,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -152,7 +153,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -170,7 +171,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -181,7 +182,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -245,7 +246,7 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path), - private_key: Some(key_path), + signing_key: Some(SigningKey::LocalKey { path: key_path }), img_name: None, img_version: None, metadata: None, @@ -256,7 +257,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -288,7 +289,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -299,7 +300,7 @@ mod tests { &build_args.docker_dir, &build_args.output, &build_args.signing_certificate, - &build_args.private_key, + &build_args.signing_key, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -334,7 +335,7 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path), - private_key: Some(key_path), + signing_key: Some(SigningKey::LocalKey { path: key_path }), img_name: None, img_version: None, metadata: None, @@ -345,7 +346,7 @@ mod tests { &build_args.docker_dir, &build_args.output, &build_args.signing_certificate, - &build_args.private_key, + &build_args.signing_key, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -375,7 +376,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -386,7 +387,7 @@ mod tests { &build_args.docker_dir, &build_args.output, &build_args.signing_certificate, - &build_args.private_key, + &build_args.signing_key, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -482,7 +483,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -493,7 +494,7 @@ mod tests { &build_args.docker_dir, &build_args.output, &build_args.signing_certificate, - &build_args.private_key, + &build_args.signing_key, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -524,7 +525,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -535,7 +536,7 @@ mod tests { &build_args.docker_dir, &build_args.output, &build_args.signing_certificate, - &build_args.private_key, + &build_args.signing_key, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -586,7 +587,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -597,7 +598,7 @@ mod tests { &build_args.docker_dir, &build_args.output, &build_args.signing_certificate, - &build_args.private_key, + &build_args.signing_key, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -676,7 +677,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -687,7 +688,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -767,7 +768,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: Some("TestName".to_string()), img_version: Some("1.0".to_string()), metadata: Some(meta_path.to_str().unwrap().to_string()), @@ -778,7 +779,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -861,7 +862,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -872,7 +873,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -960,7 +961,7 @@ mod tests { docker_dir: None, output: eif_path.to_str().unwrap().to_string(), signing_certificate: None, - private_key: None, + signing_key: None, img_name: None, img_version: None, metadata: None, @@ -971,7 +972,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -1002,7 +1003,7 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path), - private_key: Some(key_path), + signing_key: Some(SigningKey::LocalKey { path: key_path }), img_name: None, img_version: None, metadata: None, @@ -1013,7 +1014,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, @@ -1044,7 +1045,7 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path.clone()), - private_key: Some(key_path), + signing_key: Some(SigningKey::LocalKey { path: key_path }), img_name: None, img_version: None, metadata: None, @@ -1055,7 +1056,7 @@ mod tests { &args.docker_dir, &args.output, &args.signing_certificate, - &args.private_key, + &args.signing_key, &args.img_name, &args.img_version, &args.metadata, From b0a87c3abc5c06423793bd009c3989386702d295 Mon Sep 17 00:00:00 2001 From: EC2 Default User Date: Wed, 10 May 2023 16:06:57 +0000 Subject: [PATCH 06/11] Update rust version to 1.65 and dependencies --- .github/workflows/ci.yml | 2 +- Cargo.lock | 806 +++++++++++++++++++++++++++- Cargo.toml | 7 +- driver-bindings/Cargo.toml | 2 +- eif_loader/Cargo.toml | 2 +- enclave_build/Cargo.toml | 2 +- samples/command_executer/Cargo.toml | 2 +- tools/Dockerfile | 2 +- vsock_proxy/Cargo.toml | 2 +- 9 files changed, 808 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 26734610..d61067f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - rust: [1.60.0, stable, nightly] + rust: [1.65.0, stable, nightly] steps: - uses: actions/checkout@v3 - uses: dtolnay/rust-toolchain@master diff --git a/Cargo.lock b/Cargo.lock index ca7a94a4..afe8587c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -43,6 +43,81 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +[[package]] +name = "aws-config" +version = "0.54.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c3d1e2a1f1ab3ac6c4b884e37413eaa03eb9d901e4fc68ee8f5c1d49721680e" +dependencies = [ + "aws-credential-types", + "aws-http", + "aws-sdk-sso", + "aws-sdk-sts", + "aws-smithy-async 0.54.4", + "aws-smithy-client 0.54.4", + "aws-smithy-http 0.54.4", + "aws-smithy-http-tower 0.54.4", + "aws-smithy-json", + "aws-smithy-types 0.54.4", + "aws-types 0.54.1", + "bytes 1.1.0", + "hex", + "http", + "hyper", + "ring", + "time 0.3.21", + "tokio", + "tower", + "tracing", + "zeroize", +] + +[[package]] +name = "aws-credential-types" +version = "0.54.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb0696a0523a39a19087747e4dafda0362dc867531e3d72a3f195564c84e5e08" +dependencies = [ + "aws-smithy-async 0.54.4", + "aws-smithy-types 0.54.4", + "tokio", + "tracing", + "zeroize", +] + +[[package]] +name = "aws-endpoint" +version = "0.54.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "80a4f935ab6a1919fbfd6102a80c4fccd9ff5f47f94ba154074afe1051903261" +dependencies = [ + "aws-smithy-http 0.54.4", + "aws-smithy-types 0.54.4", + "aws-types 0.54.1", + "http", + "regex", + "tracing", +] + +[[package]] +name = "aws-http" +version = "0.54.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82976ca4e426ee9ca3ffcf919d9b2c8d14d0cd80d43cc02173737a8f07f28d4d" +dependencies = [ + "aws-credential-types", + "aws-smithy-http 0.54.4", + "aws-smithy-types 0.54.4", + "aws-types 0.54.1", + "bytes 1.1.0", + "http", + "http-body", + "lazy_static", + "percent-encoding", + "pin-project-lite", + "tracing", +] + [[package]] name = "aws-nitro-enclaves-cose" version = "0.5.0" @@ -75,7 +150,312 @@ dependencies = [ "serde", "serde_cbor", "serde_json", - "sha2", + "sha2 0.9.9", +] + +[[package]] +name = "aws-sdk-sso" +version = "0.24.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ca0119bacf0c42f587506769390983223ba834e605f049babe514b2bd646dbb2" +dependencies = [ + "aws-credential-types", + "aws-endpoint", + "aws-http", + "aws-sig-auth", + "aws-smithy-async 0.54.4", + "aws-smithy-client 0.54.4", + "aws-smithy-http 0.54.4", + "aws-smithy-http-tower 0.54.4", + "aws-smithy-json", + "aws-smithy-types 0.54.4", + "aws-types 0.54.1", + "bytes 1.1.0", + "http", + "regex", + "tokio-stream", + "tower", +] + +[[package]] +name = "aws-sdk-sts" +version = "0.24.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "270b6a33969ebfcb193512fbd5e8ee5306888ad6c6d5d775cdbfb2d50d94de26" +dependencies = [ + "aws-credential-types", + "aws-endpoint", + "aws-http", + "aws-sig-auth", + "aws-smithy-async 0.54.4", + "aws-smithy-client 0.54.4", + "aws-smithy-http 0.54.4", + "aws-smithy-http-tower 0.54.4", + "aws-smithy-json", + "aws-smithy-query", + "aws-smithy-types 0.54.4", + "aws-smithy-xml", + "aws-types 0.54.1", + "bytes 1.1.0", + "http", + "regex", + "tower", + "tracing", +] + +[[package]] +name = "aws-sig-auth" +version = "0.54.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "660a02a98ab1af83bd8d714afbab2d502ba9b18c49e7e4cddd6bf8837ff778cb" +dependencies = [ + "aws-credential-types", + "aws-sigv4", + "aws-smithy-http 0.54.4", + "aws-types 0.54.1", + "http", + "tracing", +] + +[[package]] +name = "aws-sigv4" +version = "0.54.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "86529e7b64d902efea8fff52c1b2529368d04f90305cf632729e3713f6b57dc0" +dependencies = [ + "aws-smithy-http 0.54.4", + "form_urlencoded", + "hex", + "hmac", + "http", + "once_cell", + "percent-encoding", + "regex", + "sha2 0.10.6", + "time 0.3.21", + "tracing", +] + +[[package]] +name = "aws-smithy-async" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "deb59cfdd21143006c01b9ca4dc4a9190b8c50c2ef831f9eb36f54f69efa42f1" +dependencies = [ + "futures-util", + "pin-project-lite", + "tokio", + "tokio-stream", +] + +[[package]] +name = "aws-smithy-async" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "63c712a28a4f2f2139759235c08bf98aca99d4fdf1b13c78c5f95613df0a5db9" +dependencies = [ + "futures-util", + "pin-project-lite", + "tokio", + "tokio-stream", +] + +[[package]] +name = "aws-smithy-client" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44243329ba8618474c3b7f396de281f175ae172dd515b3d35648671a3cf51871" +dependencies = [ + "aws-smithy-async 0.46.0", + "aws-smithy-http 0.46.0", + "aws-smithy-http-tower 0.46.0", + "aws-smithy-types 0.46.0", + "bytes 1.1.0", + "fastrand", + "http", + "http-body", + "pin-project-lite", + "tokio", + "tower", + "tracing", +] + +[[package]] +name = "aws-smithy-client" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "104ca17f56cde00a10207169697dfe9c6810db339d52fb352707e64875b30a44" +dependencies = [ + "aws-smithy-async 0.54.4", + "aws-smithy-http 0.54.4", + "aws-smithy-http-tower 0.54.4", + "aws-smithy-types 0.54.4", + "bytes 1.1.0", + "fastrand", + "http", + "http-body", + "hyper", + "hyper-rustls", + "lazy_static", + "pin-project-lite", + "tokio", + "tower", + "tracing", +] + +[[package]] +name = "aws-smithy-http" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fba78f69a5bbe7ac1826389304c67b789032d813574e78f9a2d450634277f833" +dependencies = [ + "aws-smithy-types 0.46.0", + "bytes 1.1.0", + "bytes-utils", + "futures-core", + "http", + "http-body", + "hyper", + "once_cell", + "percent-encoding", + "pin-project-lite", + "tracing", +] + +[[package]] +name = "aws-smithy-http" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "873f316f1833add0d3aa54ed1b0cd252ddd88c792a0cf839886400099971e844" +dependencies = [ + "aws-smithy-types 0.54.4", + "bytes 1.1.0", + "bytes-utils", + "futures-core", + "http", + "http-body", + "hyper", + "once_cell", + "percent-encoding", + "pin-project-lite", + "pin-utils", + "tracing", +] + +[[package]] +name = "aws-smithy-http-tower" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff8a512d68350561e901626baa08af9491cfbd54596201b84b4da846a59e4da3" +dependencies = [ + "aws-smithy-http 0.46.0", + "bytes 1.1.0", + "http", + "http-body", + "pin-project-lite", + "tower", + "tracing", +] + +[[package]] +name = "aws-smithy-http-tower" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4f38231d3f5dac9ac7976f44e12803add1385119ffca9e5f050d8e980733d164" +dependencies = [ + "aws-smithy-http 0.54.4", + "aws-smithy-types 0.54.4", + "bytes 1.1.0", + "http", + "http-body", + "pin-project-lite", + "tower", + "tracing", +] + +[[package]] +name = "aws-smithy-json" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4bd83ff2b79e9f729746fcc8ad798676b68fe6ea72986571569a5306a277a182" +dependencies = [ + "aws-smithy-types 0.54.4", +] + +[[package]] +name = "aws-smithy-query" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2f0445dafe9d2cd50b44339ae3c3ed46549aad8ac696c52ad660b3e7ae8682b" +dependencies = [ + "aws-smithy-types 0.54.4", + "urlencoding", +] + +[[package]] +name = "aws-smithy-types" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d230d281653de22fb0e9c7c74d18d724a39d7148e2165b1e760060064c4967c0" +dependencies = [ + "itoa", + "num-integer", + "ryu", + "time 0.3.21", +] + +[[package]] +name = "aws-smithy-types" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8161232eda10290f5136610a1eb9de56aceaccd70c963a26a260af20ac24794f" +dependencies = [ + "base64-simd", + "itoa", + "num-integer", + "ryu", + "time 0.3.21", +] + +[[package]] +name = "aws-smithy-xml" +version = "0.54.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "343ffe9a9bb3f542675f4df0e0d5933513d6ad038ca3907ad1767ba690a99684" +dependencies = [ + "xmlparser", +] + +[[package]] +name = "aws-types" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb54f097516352475a0159c9355f8b4737c54044538a4d9aca4d376ef2361ccc" +dependencies = [ + "aws-smithy-async 0.46.0", + "aws-smithy-client 0.46.0", + "aws-smithy-http 0.46.0", + "aws-smithy-types 0.46.0", + "http", + "rustc_version", + "tracing", + "zeroize", +] + +[[package]] +name = "aws-types" +version = "0.54.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8f15b34253b68cde08e39b0627cc6101bcca64351229484b4743392c035d057" +dependencies = [ + "aws-credential-types", + "aws-smithy-async 0.54.4", + "aws-smithy-client 0.54.4", + "aws-smithy-http 0.54.4", + "aws-smithy-types 0.54.4", + "http", + "rustc_version", + "tracing", ] [[package]] @@ -90,6 +470,16 @@ version = "0.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4a4ddaa51a5bc52a6948f74c06d20aaaddb71924eab79b8c97a8c556e942d6a" +[[package]] +name = "base64-simd" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "339abbe78e73178762e23bea9dfd08e697eb3f3301cd4be981c0f78ba5859195" +dependencies = [ + "outref", + "vsimd", +] + [[package]] name = "bindgen" version = "0.65.1" @@ -128,6 +518,15 @@ dependencies = [ "generic-array", ] +[[package]] +name = "block-buffer" +version = "0.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71" +dependencies = [ + "generic-array", +] + [[package]] name = "build_const" version = "0.2.2" @@ -158,6 +557,16 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8" +[[package]] +name = "bytes-utils" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e47d3a8076e283f3acd27400535992edb3ba4b5bb72f8891ad8fbe7932a7d4b9" +dependencies = [ + "bytes 1.1.0", + "either", +] + [[package]] name = "cc" version = "1.0.73" @@ -190,7 +599,7 @@ dependencies = [ "num-integer", "num-traits", "serde", - "time", + "time 0.1.44", "wasm-bindgen", "winapi", ] @@ -240,6 +649,16 @@ dependencies = [ "unicode-width", ] +[[package]] +name = "core-foundation" +version = "0.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.3" @@ -273,6 +692,16 @@ dependencies = [ "cfg-if", ] +[[package]] +name = "crypto-common" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +dependencies = [ + "generic-array", + "typenum", +] + [[package]] name = "cxx" version = "1.0.68" @@ -326,6 +755,17 @@ dependencies = [ "generic-array", ] +[[package]] +name = "digest" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f" +dependencies = [ + "block-buffer 0.10.4", + "crypto-common", + "subtle", +] + [[package]] name = "dns-lookup" version = "1.0.8" @@ -349,7 +789,7 @@ dependencies = [ "aws-nitro-enclaves-image-format", "libc", "nix 0.26.2", - "sha2", + "sha2 0.9.9", "tempfile", "vsock", ] @@ -372,7 +812,7 @@ dependencies = [ "serde", "serde_json", "serde_yaml", - "sha2", + "sha2 0.9.9", "shiplift", "tempfile", "tokio", @@ -631,6 +1071,25 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" +[[package]] +name = "h2" +version = "0.3.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "17f8a914c2987b688368b5138aa05321db91f4090cf26118185672ad588bce21" +dependencies = [ + "bytes 1.1.0", + "fnv", + "futures-core", + "futures-sink", + "futures-util", + "http", + "indexmap", + "slab", + "tokio", + "tokio-util", + "tracing", +] + [[package]] name = "half" version = "1.8.2" @@ -664,6 +1123,15 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "hmac" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" +dependencies = [ + "digest 0.10.6", +] + [[package]] name = "http" version = "0.2.6" @@ -677,9 +1145,9 @@ dependencies = [ [[package]] name = "http-body" -version = "0.4.4" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ff4f84919677303da5f147645dbea6b1881f368d03ac84e1dc09031ebd7b2c6" +checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1" dependencies = [ "bytes 1.1.0", "http", @@ -714,6 +1182,7 @@ dependencies = [ "futures-channel", "futures-core", "futures-util", + "h2", "http", "http-body", "httparse", @@ -745,6 +1214,21 @@ dependencies = [ "tower-layer", ] +[[package]] +name = "hyper-rustls" +version = "0.23.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1788965e61b367cd03a62950836d5cd41560c3577d90e40e0819373194d1661c" +dependencies = [ + "http", + "hyper", + "log", + "rustls", + "rustls-native-certs", + "tokio", + "tokio-rustls", +] + [[package]] name = "hyperlocal" version = "0.8.0" @@ -1014,7 +1498,9 @@ dependencies = [ name = "nitro-cli" version = "1.2.2" dependencies = [ + "aws-config", "aws-nitro-enclaves-image-format", + "aws-types 0.46.0", "bindgen", "chrono", "clap", @@ -1035,9 +1521,10 @@ dependencies = [ "serde", "serde_cbor", "serde_json", - "sha2", + "sha2 0.9.9", "signal-hook", "tempfile", + "tokio", "vmm-sys-util", "vsock", ] @@ -1166,6 +1653,12 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "openssl-probe" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" + [[package]] name = "openssl-sys" version = "0.9.86" @@ -1184,6 +1677,12 @@ version = "6.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ff7415e9ae3fff1225851df9e0d9e4e5479f947619774677a63572e55e80eff" +[[package]] +name = "outref" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4030760ffd992bef45b0ae3f10ce1aba99e33464c90d14dd7c039884963ddc7a" + [[package]] name = "overload" version = "0.1.1" @@ -1277,9 +1776,9 @@ dependencies = [ [[package]] name = "pin-project-lite" -version = "0.2.8" +version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e280fbe77cc62c91527259e9442153f4688736748d24660126286329742b4c6c" +checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" [[package]] name = "pin-utils" @@ -1392,12 +1891,36 @@ version = "0.6.25" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b" +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin", + "untrusted", + "web-sys", + "winapi", +] + [[package]] name = "rustc-hash" version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" +[[package]] +name = "rustc_version" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +dependencies = [ + "semver", +] + [[package]] name = "rustix" version = "0.36.9" @@ -1426,6 +1949,39 @@ dependencies = [ "windows-sys 0.45.0", ] +[[package]] +name = "rustls" +version = "0.20.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fff78fc74d175294f4e83b28343315ffcfb114b156f0185e9741cb5570f50e2f" +dependencies = [ + "log", + "ring", + "sct", + "webpki", +] + +[[package]] +name = "rustls-native-certs" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0167bac7a9f490495f3c33013e7722b53cb087ecbe082fb0c6387c96f634ea50" +dependencies = [ + "openssl-probe", + "rustls-pemfile", + "schannel", + "security-framework", +] + +[[package]] +name = "rustls-pemfile" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d194b56d58803a43635bdc398cd17e383d6f71f9182b9a192c127ca42494a59b" +dependencies = [ + "base64 0.21.0", +] + [[package]] name = "rustversion" version = "1.0.6" @@ -1438,6 +1994,15 @@ version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f" +[[package]] +name = "schannel" +version = "0.1.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "713cfb06c7059f3588fb8044c0fad1d09e3c01d225e25b9220dbfdcf16dbb1b3" +dependencies = [ + "windows-sys 0.42.0", +] + [[package]] name = "scopeguard" version = "1.1.0" @@ -1450,6 +2015,45 @@ version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1792db035ce95be60c3f8853017b3999209281c24e2ba5bc8e59bf97a0c590c1" +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "security-framework" +version = "2.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a332be01508d814fed64bf28f798a146d73792121129962fdf335bb3c49a4254" +dependencies = [ + "bitflags", + "core-foundation", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework-sys" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "31c9bb296072e961fcbd8853511dd39c2d8be2deb1e17c6860b1d30732b323b4" +dependencies = [ + "core-foundation-sys", + "libc", +] + +[[package]] +name = "semver" +version = "1.0.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bebd363326d05ec3e2f532ab7660680f3b02130d780c299bca73469d521bc0ed" + [[package]] name = "serde" version = "1.0.160" @@ -1539,13 +2143,24 @@ version = "0.9.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800" dependencies = [ - "block-buffer", + "block-buffer 0.9.0", "cfg-if", "cpufeatures", - "digest", + "digest 0.9.0", "opaque-debug", ] +[[package]] +name = "sha2" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82e6b795fe2e3b1e845bafcb27aa35405c4d47cdfc92af5fc8d3002f76cebdc0" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest 0.10.6", +] + [[package]] name = "shiplift" version = "0.7.0" @@ -1620,6 +2235,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + [[package]] name = "static_assertions" version = "1.1.0" @@ -1632,6 +2253,12 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "subtle" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" + [[package]] name = "syn" version = "1.0.109" @@ -1733,6 +2360,32 @@ dependencies = [ "winapi", ] +[[package]] +name = "time" +version = "0.3.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f3403384eaacbca9923fa06940178ac13e4edb725486d70e8e15881d0c836cc" +dependencies = [ + "serde", + "time-core", + "time-macros", +] + +[[package]] +name = "time-core" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb" + +[[package]] +name = "time-macros" +version = "0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "372950940a5f07bf38dbe211d7283c9e6d7327df53794992d293e534c733d09b" +dependencies = [ + "time-core", +] + [[package]] name = "tinyvec" version = "1.5.1" @@ -1755,6 +2408,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d0de47a4eecbe11f498978a9b29d792f0d2692d1dd003650c24c76510e3bc001" dependencies = [ "autocfg", + "bytes 1.1.0", "libc", "mio", "num_cpus", @@ -1775,6 +2429,58 @@ dependencies = [ "tokio", ] +[[package]] +name = "tokio-rustls" +version = "0.23.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59" +dependencies = [ + "rustls", + "tokio", + "webpki", +] + +[[package]] +name = "tokio-stream" +version = "0.1.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "397c988d37662c7dda6d2208364a706264bf3d6138b11d436cbac0ad38832842" +dependencies = [ + "futures-core", + "pin-project-lite", + "tokio", +] + +[[package]] +name = "tokio-util" +version = "0.7.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d" +dependencies = [ + "bytes 1.1.0", + "futures-core", + "futures-sink", + "pin-project-lite", + "tokio", + "tracing", +] + +[[package]] +name = "tower" +version = "0.4.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8fa9be0de6cf49e536ce1851f987bd21a43b771b09473c3549a6c853db37c1c" +dependencies = [ + "futures-core", + "futures-util", + "pin-project 1.0.10", + "pin-project-lite", + "tokio", + "tower-layer", + "tower-service", + "tracing", +] + [[package]] name = "tower-layer" version = "0.3.1" @@ -1794,10 +2500,23 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4a1bdf54a7c28a2bbf701e1d2233f6c77f473486b94bee4f9678da5a148dca7f" dependencies = [ "cfg-if", + "log", "pin-project-lite", + "tracing-attributes", "tracing-core", ] +[[package]] +name = "tracing-attributes" +version = "0.1.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4017f8f45139870ca7e672686113917c71c7a6e02d4924eda67186083c03081a" +dependencies = [ + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "tracing-core" version = "0.1.23" @@ -1846,6 +2565,12 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973" +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "url" version = "2.3.1" @@ -1857,6 +2582,12 @@ dependencies = [ "percent-encoding", ] +[[package]] +name = "urlencoding" +version = "2.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e8db7427f936968176eaa7cdf81b7f98b980b18495ec28f1b5791ac3bfe3eea9" + [[package]] name = "vcpkg" version = "0.2.15" @@ -1879,6 +2610,12 @@ dependencies = [ "libc", ] +[[package]] +name = "vsimd" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64" + [[package]] name = "vsock" version = "0.3.0" @@ -1982,6 +2719,26 @@ version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" +[[package]] +name = "web-sys" +version = "0.3.58" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2fed94beee57daf8dd7d51f2b15dc2bcde92d7a72304cdf662a4371008b71b90" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "webpki" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "which" version = "4.2.4" @@ -2037,6 +2794,21 @@ dependencies = [ "windows_x86_64_msvc 0.32.0", ] +[[package]] +name = "windows-sys" +version = "0.42.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7" +dependencies = [ + "windows_aarch64_gnullvm", + "windows_aarch64_msvc 0.42.1", + "windows_i686_gnu 0.42.1", + "windows_i686_msvc 0.42.1", + "windows_x86_64_gnu 0.42.1", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc 0.42.1", +] + [[package]] name = "windows-sys" version = "0.45.0" @@ -2142,6 +2914,12 @@ dependencies = [ "libc", ] +[[package]] +name = "xmlparser" +version = "0.13.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4d25c75bf9ea12c4040a97f829154768bbbce366287e2dc044af160cd79a13fd" + [[package]] name = "yaml-rust" version = "0.4.5" @@ -2150,3 +2928,9 @@ checksum = "56c1936c4cc7a1c9ab21a1ebb602eb942ba868cbd44a99cb7cdc5892335e1c85" dependencies = [ "linked-hash-map", ] + +[[package]] +name = "zeroize" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9" diff --git a/Cargo.toml b/Cargo.toml index 66988c11..c550b234 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,7 +4,7 @@ version = "1.2.2" authors = ["The AWS Nitro Enclaves Team "] edition = "2018" license = "Apache-2.0" -rust-version = "1.60" +rust-version = "1.65" [dependencies] serde = { version = ">=1.0", features = ["derive"] } @@ -28,6 +28,9 @@ vsock = "0.3" vmm-sys-util = "0.11.1" sha2 = "0.9.5" hex = "0.4" +aws-config = "0.54" +tokio = { version = "1.20", features = ["rt-multi-thread"] } +aws-types = "0.46" lazy_static = "1.4.0" @@ -39,6 +42,8 @@ log = "0.4" num-derive = "0.3" num-traits = "0.2" tempfile = "3.5" +aws-nitro-enclaves-image-format = "0.2" +openssl = "0.10" [workspace] members = [".", "driver-bindings", "eif_loader", "enclave_build", "vsock_proxy"] diff --git a/driver-bindings/Cargo.toml b/driver-bindings/Cargo.toml index 76d301cd..66041e4c 100644 --- a/driver-bindings/Cargo.toml +++ b/driver-bindings/Cargo.toml @@ -4,4 +4,4 @@ version = "0.1.0" authors = ["The AWS Nitro Enclaves Team "] edition = "2018" description = "Rust FFI bindings to Linux Nitro Enclaves driver generated using bindgen." -rust-version = "1.60" +rust-version = "1.65" diff --git a/eif_loader/Cargo.toml b/eif_loader/Cargo.toml index a2394a62..31ffe86f 100644 --- a/eif_loader/Cargo.toml +++ b/eif_loader/Cargo.toml @@ -3,7 +3,7 @@ name = "eif_loader" version = "0.1.0" authors = ["The AWS Nitro Enclaves Team "] edition = "2018" -rust-version = "1.60" +rust-version = "1.65" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/enclave_build/Cargo.toml b/enclave_build/Cargo.toml index f86b7487..8565daa6 100644 --- a/enclave_build/Cargo.toml +++ b/enclave_build/Cargo.toml @@ -3,7 +3,7 @@ name = "enclave_build" version = "0.1.0" authors = ["The AWS Nitro Enclaves Team "] edition = "2018" -rust-version = "1.60" +rust-version = "1.65" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/samples/command_executer/Cargo.toml b/samples/command_executer/Cargo.toml index d8b01ed7..c0d94cf5 100644 --- a/samples/command_executer/Cargo.toml +++ b/samples/command_executer/Cargo.toml @@ -3,7 +3,7 @@ name = "command-executer" version = "0.1.0" authors = ["The AWS Nitro Enclaves Team "] edition = "2018" -rust-version = "1.60" +rust-version = "1.65" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/tools/Dockerfile b/tools/Dockerfile index 01498fb3..ada6e88b 100644 --- a/tools/Dockerfile +++ b/tools/Dockerfile @@ -30,7 +30,7 @@ RUN cd /tmp/openssl_src/openssl-${OPENSSL_VERSION} && \ make install_sw # Setup the right rust ver -ENV RUST_VERSION=1.60.0 +ENV RUST_VERSION=1.65.0 RUN source $HOME/.cargo/env && \ ARCH=$(uname -m) && \ rustup toolchain install ${RUST_VERSION}-${ARCH}-unknown-linux-gnu && \ diff --git a/vsock_proxy/Cargo.toml b/vsock_proxy/Cargo.toml index e180b09c..d80f3da5 100644 --- a/vsock_proxy/Cargo.toml +++ b/vsock_proxy/Cargo.toml @@ -3,7 +3,7 @@ name = "vsock-proxy" version = "0.1.0" authors = ["The AWS Nitro Enclaves Team "] edition = "2018" -rust-version = "1.60" +rust-version = "1.65" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html From 3793a7e2ad610cbe5c1dd5b98d4d2f7dc122508c Mon Sep 17 00:00:00 2001 From: EC2 Default User Date: Thu, 11 May 2023 08:48:56 +0000 Subject: [PATCH 07/11] Update tests - Adjust existing tests to work with the changes needed for kms-signing - Add test for signing existing eifs --- tests/test_nitro_cli_args.rs | 120 +++++++++++++++++ tests/tests.rs | 250 +++++++++++++++++++++++++++++++++-- 2 files changed, 361 insertions(+), 9 deletions(-) diff --git a/tests/test_nitro_cli_args.rs b/tests/test_nitro_cli_args.rs index 8bf5a247..c2f107de 100644 --- a/tests/test_nitro_cli_args.rs +++ b/tests/test_nitro_cli_args.rs @@ -650,4 +650,124 @@ mod test_nitro_cli_args { assert_eq!(app.get_matches_from_safe(args).is_err(), false) } + + #[test] + fn sign_eif_pkey_correct() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "sign-eif", + "--signing-certificate", + "cert.pem", + "--private-key", + "key.pem", + "--eif-path", + "image.eif", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), false) + } + + #[test] + fn sign_eif_kms_correct() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "sign-eif", + "--signing-certificate", + "cert.pem", + "--kms-key-arn", + "a23f54c8-b2ce-1a5c-a2db-f444a5b3d22d", + "--kms-key-region", + "eu-west-1", + "--eif-path", + "image.eif", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), false) + } + + #[test] + fn sign_eif_kms_no_region_correct() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "sign-eif", + "--signing-certificate", + "cert.pem", + "--kms-key-arn", + "a23f54c8-b2ce-1a5c-a2db-f444a5b3d22d", + "--eif-path", + "image.eif", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), false) + } + + #[test] + fn sign_eif_conflicting_arguments() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "sign-eif", + "--signing-certificate", + "cert.pem", + "--private-key", + "key.pem", + "--kms-key-arn", + "a23f54c8-b2ce-1a5c-a2db-f444a5b3d22d", + "--eif-path", + "image.eif", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), true) + } + + #[test] + fn build_kms_signed_enclave_correct_command() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "build-enclave", + "--docker-uri", + "dkr.ecr.us-east-1.amazonaws.com/stronghold-develss", + "--docker-dir", + "dir/", + "--output-file", + "image.eif", + "--signing-certificate", + "cert.pem", + "--kms-key-arn", + "a23f54c8-b2ce-1a5c-a2db-f444a5b3d22d", + "--kms-key-region", + "eu-west-1", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), false) + } + + #[test] + fn build_kms_signed_enclave_conflicting_arguments() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "build-enclave", + "--docker-uri", + "dkr.ecr.us-east-1.amazonaws.com/stronghold-develss", + "--docker-dir", + "dir/", + "--output-file", + "image.eif", + "--signing-certificate", + "cert.pem", + "--kms-key-arn", + "a23f54c8-b2ce-1a5c-a2db-f444a5b3d22d", + "--kms-key-region", + "eu-west-1", + "--private-key", + "key.pem", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), true) + } } diff --git a/tests/tests.rs b/tests/tests.rs index 0bab7dcd..469358fe 100644 --- a/tests/tests.rs +++ b/tests/tests.rs @@ -6,7 +6,7 @@ #[cfg(test)] mod tests { use nitro_cli::common::commands_parser::{ - BuildEnclavesArgs, RunEnclavesArgs, TerminateEnclavesArgs, + BuildEnclavesArgs, RunEnclavesArgs, TerminateEnclavesArgs, DescribeArgs, SignArgs, }; use nitro_cli::common::json_output::EnclaveDescribeInfo; use nitro_cli::enclave_proc::commands::{describe_enclaves, run_enclaves, terminate_enclaves}; @@ -17,7 +17,7 @@ mod tests { use nitro_cli::utils::{Console, PcrType}; use nitro_cli::{ build_enclaves, build_from_docker, describe_eif, enclave_console, get_file_pcr, - new_enclave_name, + new_enclave_name, sign_eif_file }; use nitro_cli::{CID_TO_CONSOLE_PORT_OFFSET, VMADDR_CID_HYPERVISOR}; use aws_nitro_enclaves_image_format::utils::eif_signer::SigningKey; @@ -246,7 +246,9 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path), - signing_key: Some(SigningKey::LocalKey { path: key_path }), + signing_key: Some(SigningKey::LocalKey { + path: key_path, + }), img_name: None, img_version: None, metadata: None, @@ -316,6 +318,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; run_describe_terminate(args); } @@ -335,7 +339,9 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path), - signing_key: Some(SigningKey::LocalKey { path: key_path }), + signing_key: Some(SigningKey::LocalKey { + path: key_path, + }), img_name: None, img_version: None, metadata: None, @@ -362,6 +368,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; run_describe_terminate(args); } @@ -403,6 +411,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; run_describe_terminate(args); } @@ -510,6 +520,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; run_describe_terminate(run_args); @@ -552,6 +564,8 @@ mod tests { debug_mode: false, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; let mut enclave_manager = run_enclaves(&run_args, None) @@ -614,6 +628,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; let mut enclave_manager = run_enclaves(&run_args, None) @@ -705,6 +721,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; let run_result = run_enclaves(&run_args, None).expect("Run enclaves failed"); let mut enclave_manager = run_result.enclave_manager; @@ -796,6 +814,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; let run_result = run_enclaves(&run_args, None).expect("Run enclaves failed"); let mut enclave_manager = run_result.enclave_manager; @@ -890,6 +910,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: None, + kms_key_region: None, + kms_key_arn: None, }; let names = Vec::new(); run_args.enclave_name = @@ -920,6 +942,8 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("enclaveName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; let mut names = Vec::new(); let name = @@ -979,7 +1003,13 @@ mod tests { ) .expect("Docker build failed"); - let eif_info = describe_eif(args.output).unwrap(); + let describe_args = DescribeArgs { + eif_path: args.output, + kms_key_region: None, + kms_key_arn: None, + }; + + let eif_info = describe_eif(describe_args).unwrap(); assert_eq!(eif_info.version, 4); assert_eq!(eif_info.is_signed, false); @@ -1003,7 +1033,9 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path), - signing_key: Some(SigningKey::LocalKey { path: key_path }), + signing_key: Some(SigningKey::LocalKey { + path: key_path, + }), img_name: None, img_version: None, metadata: None, @@ -1021,7 +1053,13 @@ mod tests { ) .expect("Docker build failed"); - let eif_info = describe_eif(args.output).unwrap(); + let describe_args = DescribeArgs { + eif_path: args.output, + kms_key_region: None, + kms_key_arn: None, + }; + + let eif_info = describe_eif(describe_args).unwrap(); assert_eq!(eif_info.version, 4); assert_eq!(eif_info.is_signed, true); @@ -1045,7 +1083,9 @@ mod tests { docker_dir: None, output: eif_path, signing_certificate: Some(cert_path.clone()), - signing_key: Some(SigningKey::LocalKey { path: key_path }), + signing_key: Some(SigningKey::LocalKey { + path: key_path, + }), img_name: None, img_version: None, metadata: None, @@ -1063,8 +1103,200 @@ mod tests { ) .expect("Docker build failed"); + let describe_args = DescribeArgs { + eif_path: args.output, + kms_key_region: None, + kms_key_arn: None, + }; + + // Describe EIF and get PCR8 + let eif_info = describe_eif(describe_args).unwrap(); + // Hash signing certificate and verify that PCR8 is the same (identifying the certificate) + let pcr = get_file_pcr(cert_path, PcrType::SigningCertificate).unwrap(); + + assert_eq!( + eif_info + .build_info + .measurements + .get(&"PCR8".to_string()) + .unwrap(), + pcr.get(&"PCR8".to_string()).unwrap(), + ); + } + + #[test] + fn build_sign_describe_simple_image() { + let dir = tempdir().unwrap(); + let dir_path = dir.path().to_str().unwrap(); + let eif_path = format!("{}/test.eif", dir_path); + let cert_path = format!("{}/cert.pem", dir_path); + let key_path = format!("{}/key.pem", dir_path); + generate_signing_cert_and_key(&cert_path, &key_path); + + setup_env(); + let args = BuildEnclavesArgs { + docker_uri: SAMPLE_DOCKER.to_string(), + docker_dir: None, + output: eif_path.clone(), + signing_certificate: None, + signing_key: None, + img_name: None, + img_version: None, + metadata: None, + }; + + build_from_docker( + &args.docker_uri, + &args.docker_dir, + &args.output, + &args.signing_certificate, + &args.signing_key, + &args.img_name, + &args.img_version, + &args.metadata, + ) + .expect("Docker build failed"); + + let sign_args = SignArgs{ + signing_method: "PrivateKey".to_string(), + eif_path: eif_path, + signing_certificate: cert_path, + signing_key: SigningKey::LocalKey { + path: key_path, + }, + }; + + sign_eif_file(sign_args) + .expect("Sign eif failed"); + + let describe_args = DescribeArgs { + eif_path: args.output, + kms_key_region: None, + kms_key_arn: None, + }; + + let eif_info = describe_eif(describe_args).unwrap(); + + assert_eq!(eif_info.version, 4); + assert_eq!(eif_info.is_signed, true); + assert!(eif_info.cert_info.is_some()); + assert!(eif_info.crc_check); + assert!(eif_info.sign_check.unwrap()); + } + + #[test] + fn build_sign_run_describe_terminate_sign_enclave_image() { + let dir = tempdir().unwrap(); + let dir_path = dir.path().to_str().unwrap(); + let eif_path = format!("{}/test.eif", dir_path); + let cert_path = format!("{}/cert.pem", dir_path); + let key_path = format!("{}/key.pem", dir_path); + generate_signing_cert_and_key(&cert_path, &key_path); + + setup_env(); + let build_args = BuildEnclavesArgs { + docker_uri: SAMPLE_DOCKER.to_string(), + docker_dir: None, + output: eif_path.clone(), + signing_certificate: None, + signing_key: None, + img_name: None, + img_version: None, + metadata: None, + }; + + build_from_docker( + &build_args.docker_uri, + &build_args.docker_dir, + &build_args.output, + &build_args.signing_certificate, + &build_args.signing_key, + &build_args.img_name, + &build_args.img_version, + &build_args.metadata, + ) + .expect("Docker build failed"); + + let sign_args = SignArgs{ + signing_method: "PrivateKey".to_string(), + eif_path: eif_path, + signing_certificate: cert_path, + signing_key: SigningKey::LocalKey { + path: key_path, + }, + }; + + sign_eif_file(sign_args) + .expect("Sign eif failed"); + + let args = RunEnclavesArgs { + enclave_cid: None, + eif_path: build_args.output, + cpu_ids: None, + cpu_count: Some(2), + memory_mib: 256, + debug_mode: true, + attach_console: false, + enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, + }; + run_describe_terminate(args); + } + + #[test] + fn build_sign_get_certificate_pcr() { + let dir = tempdir().unwrap(); + let dir_path = dir.path().to_str().unwrap(); + let eif_path = format!("{}/test.eif", dir_path); + let cert_path = format!("{}/cert.pem", dir_path); + let key_path = format!("{}/key.pem", dir_path); + generate_signing_cert_and_key(&cert_path, &key_path); + + setup_env(); + let args = BuildEnclavesArgs { + docker_uri: SAMPLE_DOCKER.to_string(), + docker_dir: None, + output: eif_path.clone(), + signing_certificate: None, + signing_key: None, + img_name: None, + img_version: None, + metadata: None, + }; + + build_from_docker( + &args.docker_uri, + &args.docker_dir, + &args.output, + &args.signing_certificate, + &args.signing_key, + &args.img_name, + &args.img_version, + &args.metadata, + ) + .expect("Docker build failed"); + + let sign_args = SignArgs{ + signing_method: "PrivateKey".to_string(), + eif_path: eif_path, + signing_certificate: cert_path.clone(), + signing_key: SigningKey::LocalKey { + path: key_path, + }, + }; + + sign_eif_file(sign_args) + .expect("Sign eif failed"); + + let describe_args = DescribeArgs { + eif_path: args.output, + kms_key_region: None, + kms_key_arn: None, + }; + // Describe EIF and get PCR8 - let eif_info = describe_eif(args.output).unwrap(); + let eif_info = describe_eif(describe_args).unwrap(); // Hash signing certificate and verify that PCR8 is the same (identifying the certificate) let pcr = get_file_pcr(cert_path, PcrType::SigningCertificate).unwrap(); From 72f4f862af4c76cca33f96865c90ee351f9b119d Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Thu, 11 May 2023 09:11:29 +0000 Subject: [PATCH 08/11] KMS image signing adjustments - use default region from config if region argument was not provided - change argument conditions and conflicts - use async calls to init kms key - print measurements after signing an existing image --- src/common/commands_parser.rs | 60 +++++++++++++++++++++++++++++------ src/enclave_proc/cpu_info.rs | 4 +++ src/lib.rs | 21 +++++++++++- 3 files changed, 74 insertions(+), 11 deletions(-) diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs index 27ef5c3d..0e31d0fd 100644 --- a/src/common/commands_parser.rs +++ b/src/common/commands_parser.rs @@ -15,6 +15,7 @@ use crate::common::{NitroCliErrorEnum, NitroCliFailure, NitroCliResult, VMADDR_C use crate::get_id_by_name; use crate::new_nitro_cli_failure; use crate::utils::PcrType; +use tokio::runtime::Runtime; /// The arguments used by the `run-enclave` command. #[derive(Debug, Clone, Serialize, Deserialize)] @@ -79,6 +80,16 @@ impl RunEnclavesArgs { Ok(json) } else { + let mut kms_key_region = parse_kms_key_region(args); + if kms_key_region.is_none() { + let act = async { + let config = aws_config::load_from_env().await; + kms_key_region = Some(config.region().unwrap().to_string()); + eprintln!("Using default region from aws config: {}", config.region().unwrap()); + }; + let runtime = Runtime::new().unwrap(); + runtime.block_on(act); + } Ok(RunEnclavesArgs { cpu_count: parse_cpu_count(args) .map_err(|err| err.add_subaction("Parse CPU count".to_string()))?, @@ -94,7 +105,7 @@ impl RunEnclavesArgs { attach_console: attach_console(args), enclave_name: parse_enclave_name(args) .map_err(|err| err.add_subaction("Parse enclave name".to_string()))?, - kms_key_region: parse_kms_key_region(args), + kms_key_region, kms_key_arn: parse_kms_key_arn(args), }) } @@ -127,7 +138,7 @@ impl BuildEnclavesArgs { pub fn new_with(args: &ArgMatches) -> NitroCliResult { let signing_certificate = parse_signing_certificate(args); let private_key = parse_private_key(args); - let kms_key_region = parse_kms_key_region(args); + let mut kms_key_region = parse_kms_key_region(args); let kms_key_arn = parse_kms_key_arn(args); let signing_key = match (&private_key, &kms_key_arn) { @@ -135,6 +146,15 @@ impl BuildEnclavesArgs { path: private_key.unwrap(), }), (None, Some(_)) => { + if kms_key_region.is_none() { + let act = async { + let config = aws_config::load_from_env().await; + kms_key_region = Some(config.region().unwrap().to_string()); + eprintln!("Using default region from aws config: {}", config.region().unwrap()); + }; + let runtime = Runtime::new().unwrap(); + runtime.block_on(act); + } if kms_key_region.is_none() { return Err(new_nitro_cli_failure!( "`kms-key-region` argument not found", @@ -324,7 +344,7 @@ impl SignArgs { /// Construct a new `SignArg` instance from the given command-line arguments. pub fn new_with(args: &ArgMatches) -> NitroCliResult { let private_key = parse_private_key(args); - let kms_key_region = parse_kms_key_region(args); + let mut kms_key_region = parse_kms_key_region(args); let kms_key_arn = parse_kms_key_arn(args); let signing_key; let signing_method; @@ -337,6 +357,15 @@ impl SignArgs { signing_method = "PrivateKey"; } (None, Some(_)) => { + if kms_key_region.is_none() { + let act = async { + let config = aws_config::load_from_env().await; + kms_key_region = Some(config.region().unwrap().to_string()); + eprintln!("Using default region from aws config: {}", config.region().unwrap()); + }; + let runtime = Runtime::new().unwrap(); + runtime.block_on(act); + } if kms_key_region.is_none() { return Err(new_nitro_cli_failure!( "`kms-key-region` argument not found", @@ -388,9 +417,9 @@ pub struct DescribeArgs { impl DescribeArgs { /// Construct a new `DescribeArgs` instance from the given command-line arguments. pub fn new_with(args: &ArgMatches) -> NitroCliResult { - let kms_key_region = parse_kms_key_region(args); + let mut kms_key_region = parse_kms_key_region(args); let kms_key_arn = parse_kms_key_arn(args); - + match (&kms_key_region, &kms_key_arn) { (Some(_), None) => { return Err(new_nitro_cli_failure!( @@ -400,11 +429,22 @@ impl DescribeArgs { .add_info(vec!["kms-key-arn"])) } (None, Some(_)) => { - return Err(new_nitro_cli_failure!( - "`kms-key-region` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["kms-key-region"])) + if kms_key_region.is_none() { + let act = async { + let config = aws_config::load_from_env().await; + kms_key_region = Some(config.region().unwrap().to_string()); + eprintln!("Using default region from aws config: {}", config.region().unwrap()); + }; + let runtime = Runtime::new().unwrap(); + runtime.block_on(act); + } + if kms_key_region.is_none() { + return Err(new_nitro_cli_failure!( + "`kms-key-region` argument not found", + NitroCliErrorEnum::MissingArgument + ) + .add_info(vec!["kms-key-region"])) + } } _ => (), }; diff --git a/src/enclave_proc/cpu_info.rs b/src/enclave_proc/cpu_info.rs index 2bfd70fd..a3deef22 100644 --- a/src/enclave_proc/cpu_info.rs +++ b/src/enclave_proc/cpu_info.rs @@ -285,6 +285,8 @@ mod tests { cpu_ids: None, cpu_count: Some(343), enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; let mut result = cpu_info.get_cpu_config(&run_args); @@ -318,6 +320,8 @@ mod tests { cpu_ids: None, cpu_count: Some(2), enclave_name: Some("testName".to_string()), + kms_key_region: None, + kms_key_arn: None, }; let mut result = cpu_info.get_cpu_config(&run_args); diff --git a/src/lib.rs b/src/lib.rs index fc9b9518..d45e2c89 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -81,7 +81,19 @@ pub fn sign_eif_file(args: SignArgs) -> NitroCliResult<()> { NitroCliErrorEnum::EifParsingError ) })?; - signer.sign_image().expect("Failed signing"); + let measurements = signer.sign_image().expect("Failed signing"); + + eprintln!("Successfully signed the Enclave Image."); + + let info = EnclaveBuildInfo::new(measurements); + println!( + "{}", + serde_json::to_string_pretty(&info).map_err(|err| new_nitro_cli_failure!( + &format!("Failed to display EnclaveBuild data: {:?}", err), + NitroCliErrorEnum::SerdeError + ))? + ); + Ok(()) } @@ -806,6 +818,7 @@ macro_rules! create_app { .long("kms-key-region") .help("The region in which the KMS key resides.") .takes_value(true) + .required(false) .conflicts_with("private-key"), ) .arg( @@ -813,6 +826,7 @@ macro_rules! create_app { .long("kms-key-arn") .help("The KMS key ARN") .takes_value(true) + .required(false) .conflicts_with("private-key"), ), ) @@ -830,12 +844,14 @@ macro_rules! create_app { Arg::with_name("kms-key-region") .long("kms-key-region") .help("The region in which the KMS key resides.") + .required(false) .takes_value(true), ) .arg( Arg::with_name("kms-key-arn") .long("kms-key-arn") .help("The KMS key ARN.") + .required(false) .takes_value(true), ), ) @@ -928,6 +944,7 @@ macro_rules! create_app { .long("private-key") .help("Local path to developer's Eliptic Curve private key.") .takes_value(true) + .required_unless("kms-key-arn") .conflicts_with("kms-key-arn") .conflicts_with("kms-key-region"), ) @@ -936,6 +953,7 @@ macro_rules! create_app { .long("kms-key-region") .help("The region in which the KMS key resides.") .takes_value(true) + .required(false) .conflicts_with("private-key"), ) .arg( @@ -943,6 +961,7 @@ macro_rules! create_app { .long("kms-key-arn") .help("The KMS key ARN") .takes_value(true) + .required_unless("private-key") .conflicts_with("private-key"), ), ) From ca0ad2a8b8e8be4cbcc708f7576267e5b9d235f7 Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Thu, 11 May 2023 11:17:21 +0000 Subject: [PATCH 09/11] Remove kms arguments from run and describe --- src/common/commands_parser.rs | 53 ----------------------------------- src/enclave_proc/commands.rs | 2 +- src/enclave_proc/cpu_info.rs | 4 --- src/lib.rs | 32 --------------------- tests/tests.rs | 32 --------------------- 5 files changed, 1 insertion(+), 122 deletions(-) diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs index 0e31d0fd..1de9ba06 100644 --- a/src/common/commands_parser.rs +++ b/src/common/commands_parser.rs @@ -38,10 +38,6 @@ pub struct RunEnclavesArgs { pub cpu_count: Option, /// Enclave name set by the user. pub enclave_name: Option, - /// The region in which the KMS key resides. - pub kms_key_region: Option, - /// The KMS key id. - pub kms_key_arn: Option, } impl RunEnclavesArgs { @@ -80,16 +76,6 @@ impl RunEnclavesArgs { Ok(json) } else { - let mut kms_key_region = parse_kms_key_region(args); - if kms_key_region.is_none() { - let act = async { - let config = aws_config::load_from_env().await; - kms_key_region = Some(config.region().unwrap().to_string()); - eprintln!("Using default region from aws config: {}", config.region().unwrap()); - }; - let runtime = Runtime::new().unwrap(); - runtime.block_on(act); - } Ok(RunEnclavesArgs { cpu_count: parse_cpu_count(args) .map_err(|err| err.add_subaction("Parse CPU count".to_string()))?, @@ -105,8 +91,6 @@ impl RunEnclavesArgs { attach_console: attach_console(args), enclave_name: parse_enclave_name(args) .map_err(|err| err.add_subaction("Parse enclave name".to_string()))?, - kms_key_region, - kms_key_arn: parse_kms_key_arn(args), }) } } @@ -408,52 +392,15 @@ impl SignArgs { pub struct DescribeArgs { /// The path to the enclave image file. pub eif_path: String, - /// The region in which the KMS key resides. - pub kms_key_region: Option, - /// The KMS key id. - pub kms_key_arn: Option, } impl DescribeArgs { /// Construct a new `DescribeArgs` instance from the given command-line arguments. pub fn new_with(args: &ArgMatches) -> NitroCliResult { - let mut kms_key_region = parse_kms_key_region(args); - let kms_key_arn = parse_kms_key_arn(args); - - match (&kms_key_region, &kms_key_arn) { - (Some(_), None) => { - return Err(new_nitro_cli_failure!( - "`kms-key-arn` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["kms-key-arn"])) - } - (None, Some(_)) => { - if kms_key_region.is_none() { - let act = async { - let config = aws_config::load_from_env().await; - kms_key_region = Some(config.region().unwrap().to_string()); - eprintln!("Using default region from aws config: {}", config.region().unwrap()); - }; - let runtime = Runtime::new().unwrap(); - runtime.block_on(act); - } - if kms_key_region.is_none() { - return Err(new_nitro_cli_failure!( - "`kms-key-region` argument not found", - NitroCliErrorEnum::MissingArgument - ) - .add_info(vec!["kms-key-region"])) - } - } - _ => (), - }; Ok(DescribeArgs { eif_path: parse_eif_path(args) .map_err(|err| err.add_subaction("Parse EIF path".to_string()))?, - kms_key_region, - kms_key_arn, }) } } diff --git a/src/enclave_proc/commands.rs b/src/enclave_proc/commands.rs index 520befed..6e450e33 100644 --- a/src/enclave_proc/commands.rs +++ b/src/enclave_proc/commands.rs @@ -94,7 +94,7 @@ pub fn run_enclaves( // Verify the certificate only if signature section exists if !signature_checker.is_empty() { signature_checker - .verify(args.kms_key_region.as_ref(), args.kms_key_arn.as_ref()) + .verify() .map_err(|e| { new_nitro_cli_failure!( &format!("Invalid signing certificate: {:?}", e), diff --git a/src/enclave_proc/cpu_info.rs b/src/enclave_proc/cpu_info.rs index a3deef22..2bfd70fd 100644 --- a/src/enclave_proc/cpu_info.rs +++ b/src/enclave_proc/cpu_info.rs @@ -285,8 +285,6 @@ mod tests { cpu_ids: None, cpu_count: Some(343), enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; let mut result = cpu_info.get_cpu_config(&run_args); @@ -320,8 +318,6 @@ mod tests { cpu_ids: None, cpu_count: Some(2), enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; let mut result = cpu_info.get_cpu_config(&run_args); diff --git a/src/lib.rs b/src/lib.rs index d45e2c89..15b2bcb4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -298,8 +298,6 @@ pub fn describe_eif(desc_args: DescribeArgs) -> NitroCliResult let cert_info = eif_reader .get_certificate_info( measurements, - desc_args.kms_key_region, - desc_args.kms_key_arn, ) .map_err(|err| { new_nitro_cli_failure!( @@ -696,22 +694,6 @@ macro_rules! create_app { .required(false) .conflicts_with("config"), ) - .arg( - Arg::with_name("kms-key-region") - .long("kms-key-region") - .takes_value(true) - .help("The region in which the KMS key resides.") - .required(false) - .conflicts_with("config"), - ) - .arg( - Arg::with_name("kms-key-arn") - .long("kms-key-arn") - .takes_value(true) - .help("The KMS key ARN.") - .required(false) - .conflicts_with("config"), - ) .arg( Arg::with_name("config") .long("config") @@ -840,20 +822,6 @@ macro_rules! create_app { .required(true) .takes_value(true), ) - .arg( - Arg::with_name("kms-key-region") - .long("kms-key-region") - .help("The region in which the KMS key resides.") - .required(false) - .takes_value(true), - ) - .arg( - Arg::with_name("kms-key-arn") - .long("kms-key-arn") - .help("The KMS key ARN.") - .required(false) - .takes_value(true), - ), ) .subcommand( SubCommand::with_name("describe-enclaves") diff --git a/tests/tests.rs b/tests/tests.rs index 469358fe..e2b90459 100644 --- a/tests/tests.rs +++ b/tests/tests.rs @@ -318,8 +318,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; run_describe_terminate(args); } @@ -368,8 +366,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; run_describe_terminate(args); } @@ -411,8 +407,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; run_describe_terminate(args); } @@ -520,8 +514,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; run_describe_terminate(run_args); @@ -564,8 +556,6 @@ mod tests { debug_mode: false, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; let mut enclave_manager = run_enclaves(&run_args, None) @@ -628,8 +618,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; let mut enclave_manager = run_enclaves(&run_args, None) @@ -721,8 +709,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; let run_result = run_enclaves(&run_args, None).expect("Run enclaves failed"); let mut enclave_manager = run_result.enclave_manager; @@ -814,8 +800,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; let run_result = run_enclaves(&run_args, None).expect("Run enclaves failed"); let mut enclave_manager = run_result.enclave_manager; @@ -910,8 +894,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: None, - kms_key_region: None, - kms_key_arn: None, }; let names = Vec::new(); run_args.enclave_name = @@ -942,8 +924,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("enclaveName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; let mut names = Vec::new(); let name = @@ -1005,8 +985,6 @@ mod tests { let describe_args = DescribeArgs { eif_path: args.output, - kms_key_region: None, - kms_key_arn: None, }; let eif_info = describe_eif(describe_args).unwrap(); @@ -1055,8 +1033,6 @@ mod tests { let describe_args = DescribeArgs { eif_path: args.output, - kms_key_region: None, - kms_key_arn: None, }; let eif_info = describe_eif(describe_args).unwrap(); @@ -1105,8 +1081,6 @@ mod tests { let describe_args = DescribeArgs { eif_path: args.output, - kms_key_region: None, - kms_key_arn: None, }; // Describe EIF and get PCR8 @@ -1171,8 +1145,6 @@ mod tests { let describe_args = DescribeArgs { eif_path: args.output, - kms_key_region: None, - kms_key_arn: None, }; let eif_info = describe_eif(describe_args).unwrap(); @@ -1238,8 +1210,6 @@ mod tests { debug_mode: true, attach_console: false, enclave_name: Some("testName".to_string()), - kms_key_region: None, - kms_key_arn: None, }; run_describe_terminate(args); } @@ -1291,8 +1261,6 @@ mod tests { let describe_args = DescribeArgs { eif_path: args.output, - kms_key_region: None, - kms_key_arn: None, }; // Describe EIF and get PCR8 From 99ad930e1a0c0c1501b29d4409b6c98af549f1bc Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Thu, 11 May 2023 11:26:34 +0000 Subject: [PATCH 10/11] Fix clippy errors --- src/common/mod.rs | 9 ++------- src/enclave_proc/resource_manager.rs | 9 ++------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/src/common/mod.rs b/src/common/mod.rs index 0ddbc84c..f42262c2 100644 --- a/src/common/mod.rs +++ b/src/common/mod.rs @@ -56,9 +56,10 @@ const SOCKETS_DIR_PATH: &str = "/run/nitro_enclaves"; const BACKTRACE_VAR: &str = "BACKTRACE"; /// All possible errors which may occur. -#[derive(Debug, Clone, Copy, Hash, PartialEq)] +#[derive(Debug, Default, Clone, Copy, Hash, PartialEq)] pub enum NitroCliErrorEnum { /// Unspecified error (should avoid using it thoughout the code). + #[default] UnspecifiedError = 0, /// Error for handling missing arguments. MissingArgument, @@ -180,12 +181,6 @@ pub enum NitroCliErrorEnum { EIFSignatureCheckerError, } -impl Default for NitroCliErrorEnum { - fn default() -> NitroCliErrorEnum { - NitroCliErrorEnum::UnspecifiedError - } -} - impl Eq for NitroCliErrorEnum {} /// The type of commands that can be sent to an enclave process. diff --git a/src/enclave_proc/resource_manager.rs b/src/enclave_proc/resource_manager.rs index 5454d134..adf080f6 100644 --- a/src/enclave_proc/resource_manager.rs +++ b/src/enclave_proc/resource_manager.rs @@ -109,9 +109,10 @@ pub struct MemoryRegion { } /// The state an enclave may be in. -#[derive(Clone)] +#[derive(Default, Clone)] pub enum EnclaveState { /// The enclave is not running (it's either not started or has been terminated). + #[default] Empty, /// The enclave is running. Running, @@ -180,12 +181,6 @@ impl ToString for EnclaveState { } } -impl Default for EnclaveState { - fn default() -> Self { - EnclaveState::Empty - } -} - impl Default for EnclaveBuildInfo { fn default() -> Self { EnclaveBuildInfo::new(BTreeMap::new()) From 979e1067166244aa8b80d8ff312313586bada2c7 Mon Sep 17 00:00:00 2001 From: Vlad Proteasa Date: Fri, 12 May 2023 11:42:36 +0000 Subject: [PATCH 11/11] Add kms arguments in enclave_build --- enclave_build/src/main.rs | 40 ++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/enclave_build/src/main.rs b/enclave_build/src/main.rs index cc7f3922..3a20b1ca 100644 --- a/enclave_build/src/main.rs +++ b/enclave_build/src/main.rs @@ -87,6 +87,18 @@ fn main() { .help("Specify the path to the private-key") .takes_value(true), ) + .arg( + Arg::with_name("kms-key-arn") + .long("kms-key-arn") + .help("Specify ARN of the KMS key") + .takes_value(true), + ) + .arg( + Arg::with_name("kms-key-region") + .long("kms-key-region") + .help("Specify region in which the KMS key resides") + .takes_value(true), + ) .arg( Arg::with_name("build") .short('b') @@ -134,12 +146,26 @@ fn main() { let signing_certificate = matches .value_of("signing_certificate") .map(|val| val.to_string()); - let private_key = Some(SigningKey::LocalKey { - path: matches - .value_of("private_certificate") - .map(|val| val.to_string()) - .unwrap(), - }); + let kms_key_arn = matches.value_of("kms-key-arn"); + let kms_key_region = matches.value_of("kms-key-region"); + let private_key_path = matches + .value_of("private_key") + .map(|val| val.to_string()); + + let signing_key = match (kms_key_arn, private_key_path) { + (None, Some(key_path)) => { + Some(SigningKey::LocalKey{ + path: key_path + }) + }, + (Some(kms_arn), None) => { + Some(SigningKey::KmsKey{ + arn: kms_arn.to_string(), + region: kms_key_region.unwrap().to_string() + }) + }, + _ => None + }; let img_name = matches.value_of("image_name").map(|val| val.to_string()); let img_version = matches.value_of("image_version").map(|val| val.to_string()); let metadata = matches.value_of("metadata").map(|val| val.to_string()); @@ -161,7 +187,7 @@ fn main() { &mut output, ".".to_string(), &signing_certificate, - &private_key, + &signing_key, img_name, img_version, metadata,