From 5a38881d5aa0e80063a2101fbfce79f5e146621c Mon Sep 17 00:00:00 2001 From: Herman Date: Thu, 17 Jun 2021 16:22:42 +0200 Subject: [PATCH] feat(data_service): add test for auth_enclave token issuance --- .../tests/ecalls/issue_execution_token.rs | 90 +++++++++++++++++++ rtc_data_service/tests/ecalls/mod.rs | 1 + rtc_data_service/tests/main.rs | 4 + rtc_data_service/tests/web_api/data_upload.rs | 4 +- 4 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 rtc_data_service/tests/ecalls/issue_execution_token.rs diff --git a/rtc_data_service/tests/ecalls/issue_execution_token.rs b/rtc_data_service/tests/ecalls/issue_execution_token.rs new file mode 100644 index 00000000..152c41e7 --- /dev/null +++ b/rtc_data_service/tests/ecalls/issue_execution_token.rs @@ -0,0 +1,90 @@ +use std::{convert::TryInto, str::FromStr}; + +use rtc_types::ExecReqMetadata; +use serde::{Deserialize, Serialize}; +use sgx_types::sgx_target_info_t; + +use crate::{helpers, CRYPTO_BOX_BOXZEROBYTES, CRYPTO_BOX_ZEROBYTES}; + +#[derive(Serialize, Deserialize)] +pub struct ExecReqData { + dataset_uuid: [u8; 16], + dataset_access_key: [u8; 24], + exec_module_hash: [u8; 32], + number_of_uses: u32, +} + +#[test] +fn test_issue_execution_token_success() { + let enclave = helpers::init_auth_enclave(); + + let enclave_pubkey = enclave + .create_report(&sgx_target_info_t::default()) + .unwrap() + .enclave_held_data; + + let mut pubkey = [0_u8; 32]; + let mut privkey = [0_u8; 32]; + + sodalite::box_keypair_seed(&mut pubkey, &mut privkey, &[2_u8; 32]); + + let uuid = uuid::Uuid::from_str("dd12012195c04ae8990ebd2512ae03ab").unwrap(); + let exec_module_hash: Vec = (0u8..32).collect(); + + let req_json = serde_json::to_vec(&ExecReqData { + dataset_uuid: *uuid.as_bytes(), + dataset_access_key: [1; 24], + exec_module_hash: exec_module_hash.try_into().unwrap(), + number_of_uses: 10, + }) + .unwrap(); + + let plaintext = [vec![0_u8; 32], req_json].concat(); + let mut ciphertext = vec![0_u8; plaintext.len()]; + let nonce = [8_u8; 24]; + + sodalite::box_( + &mut ciphertext, + &plaintext, + &nonce, + &enclave_pubkey, + &privkey, + ) + .unwrap(); + + let result = enclave + .issue_execution_token( + &ciphertext[CRYPTO_BOX_BOXZEROBYTES..], + ExecReqMetadata { + uploader_pub_key: pubkey, + nonce, + }, + ) + .unwrap(); + + let mut m = vec![0_u8; result.ciphertext.len() + CRYPTO_BOX_BOXZEROBYTES]; + + let padded_c = [ + vec![0u8; CRYPTO_BOX_BOXZEROBYTES], + result.ciphertext.to_vec(), + ] + .concat(); + + // TODO: Test bad privkey, nonce etc and ensure failure + + let open_result = + sodalite::box_open(&mut m, &padded_c, &result.nonce, &enclave_pubkey, &privkey); + + assert!(open_result.is_ok()); + + // Skip over the padding + let padding: &[u8; CRYPTO_BOX_ZEROBYTES] = + m[..CRYPTO_BOX_ZEROBYTES].try_into().expect("bad padding"); + + assert_eq!( + padding, &[0_u8; CRYPTO_BOX_ZEROBYTES], + "padding should be zero" + ); + + // TODO: Assert that decrypted value is a valid JWT +} diff --git a/rtc_data_service/tests/ecalls/mod.rs b/rtc_data_service/tests/ecalls/mod.rs index 422adaf7..4948a04c 100644 --- a/rtc_data_service/tests/ecalls/mod.rs +++ b/rtc_data_service/tests/ecalls/mod.rs @@ -1,3 +1,4 @@ //! ECALL tests +mod issue_execution_token; mod local_attestation; diff --git a/rtc_data_service/tests/main.rs b/rtc_data_service/tests/main.rs index 5b4f4d1b..6df53372 100644 --- a/rtc_data_service/tests/main.rs +++ b/rtc_data_service/tests/main.rs @@ -1,5 +1,9 @@ //! Top-level test module +// See rtc_tenclave/src/crypto.rs +pub const CRYPTO_BOX_ZEROBYTES: usize = 32; +pub const CRYPTO_BOX_BOXZEROBYTES: usize = 16; + mod helpers; mod ecalls; diff --git a/rtc_data_service/tests/web_api/data_upload.rs b/rtc_data_service/tests/web_api/data_upload.rs index f348b4b2..00cd8bef 100644 --- a/rtc_data_service/tests/web_api/data_upload.rs +++ b/rtc_data_service/tests/web_api/data_upload.rs @@ -13,8 +13,8 @@ use rtc_data_service::data_upload::models; use crate::helpers; // See rtc_tenclave/src/crypto.rs -const CRYPTO_BOX_ZEROBYTES: usize = 32; -const CRYPTO_BOX_BOXZEROBYTES: usize = 16; +use crate::CRYPTO_BOX_BOXZEROBYTES; +use crate::CRYPTO_BOX_ZEROBYTES; /// Upload some data, decrypt and check the result. #[actix_rt::test]