tests: update e2e Makefile test

We now require a keypair to sign/validate the attestation token. Add this keypair to the e2e test. Interestingly, we were using a keypair for validating the old CoCo token in this test, but only for the passport mode. Even in background check mode, this keypair is required or the token won't be validated at all. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
confidential-containers · Oct 3, 2024 · 06144fd · 06144fd
1 parent 95af0a6
commit 06144fd
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 7 deletions.
diff --git a/kbs/test/Makefile b/kbs/test/Makefile
@@ -30,6 +30,9 @@ TEE_KEY := $(WORK_DIR)/tee.key
 HTTPS_KEY := $(WORK_DIR)/https.key
 HTTPS_CERT := $(WORK_DIR)/https.crt
 KBS_POLICY := $(WORK_DIR)/kbs-policy.rego
+AS_KEY := $(WORK_DIR)/as-key.pem
+AS_PRIVATE_KEY := $(WORK_DIR)/as-private-key.pem
+AS_PUBLIC_KEY := $(WORK_DIR)/as-public-key.pem
 
 SHELL := bash
 ifeq ($(OS),Ubuntu)
@@ -141,13 +144,22 @@ $(SECRET_FILE):
 	mkdir -p $$(dirname "$(SECRET_FILE)") && \
 	openssl rand 16 > "$(SECRET_FILE)"
 
+$(AS_KEY):
+	openssl ecparam -name prime256v1 -genkey -noout -out "$@"
+
+$(AS_PRIVATE_KEY): $(AS_KEY)
+	openssl pkcs8 -topk8 -inform PEM -outform PEM -in "$(AS_KEY)" -nocrypt -out "$@"
+
+$(AS_PUBLIC_KEY): $(AS_PRIVATE_KEY)
+	openssl ec -in "$(AS_PRIVATE_KEY)" -pubout -out "$@"
+
 .PHONY: start-kbs
 start-kbs: kbs.PID
 
 .PHONY: start-resource-kbs
 start-resource-kbs: resource-kbs.PID
 
-kbs-keys: $(KBS_KEY) $(TOKEN_KEY) $(HTTPS_KEY)
+kbs-keys: $(KBS_KEY) $(TOKEN_KEY) $(HTTPS_KEY) $(AS_PUBLIC_KEY) $(AS_PRIVATE_KEY)
 
 kbs-certs: $(KBS_PEM) $(TOKEN_CERT_CHAIN) $(HTTPS_CERT)
 
@@ -159,7 +171,7 @@ kbs.PID: kbs kbs-keys kbs-certs $(SECRET_FILE)
 	} && \
 	sleep 1
 
-resource-kbs.PID: resource-kbs $(KBS_PEM) $(CA_CERT) $(SECRET_FILE)
+resource-kbs.PID: resource-kbs $(KBS_PEM) $(CA_CERT) $(SECRET_FILE) $(AS_PUBLIC_KEY)
 	@printf "${BOLD}start resource-kbs${SGR0}\n"
 	{ \
 		./resource-kbs --config-file "$(KBS_CONFIG_PATH)/resource-kbs.toml" \

diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml
@@ -5,7 +5,8 @@ private_key = "./work/https.key"
 certificate = "./work/https.crt"
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+attestation_token_type = "Ear"
+trusted_certs_paths = ["./work/as-public-key.pem"]
 
 [repository_config]
 type = "LocalFs"
@@ -14,13 +15,12 @@ dir_path = "./work/repository"
 [as_config]
 work_dir = "./work/attestation-service"
 policy_engine = "opa"
-attestation_token_broker = "Simple"
 
 [as_config.attestation_token_config]
 duration_min = 5
 
 [as_config.attestation_token_config.signer]
-key_path = "./work/token.key"
+key_path = "./work/as-private-key.pem"
 cert_path = "./work/token-cert-chain.pem"
 
 [as_config.rvps_config]

diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml
@@ -3,8 +3,8 @@ auth_public_key = "./work/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
-trusted_certs_paths = ["./work/ca-cert.pem"]
+attestation_token_type = "Ear"
+trusted_certs_paths = ["./work/as-public-key.pem"]
 
 [repository_config]
 type = "LocalFs"