[tests] Add tests for signing pem files

Signed-off-by: Mariusz Zaborski <oshogbo@invisiblethingslab.com>
gramineproject · Nov 29, 2023 · 273b95d · 273b95d
1 parent 7a01476
commit 273b95d
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 3 deletions.
diff --git a/.ci/lib/stage-test.jenkinsfile b/.ci/lib/stage-test.jenkinsfile
@@ -56,9 +56,15 @@ stage('test') {
 
     timeout(time: 15, unit: 'MINUTES') {
         try {
-            sh '''
-                python3 -m pytest -v --junit-xml tests.xml tests/
-            '''
+            if (env.SGX != '1') {
+                sh '''
+                    python3 -m pytest -m "not sgx" -v --junit-xml tests.xml tests/
+                '''
+            } else {
+                sh '''
+                    python3 -m pytest -v --junit-xml tests.xml tests/
+                '''
+            }
         } finally {
             junit 'tests.xml'
             sh 'rm -rf tests.xml'

diff --git a/tests/test_sgx_sign.py b/tests/test_sgx_sign.py
@@ -0,0 +1,78 @@
+#!/usr/bin/python3
+# SPDX-License-Identifier: LGPL-3.0-or-later
+# Copyright (C) 2023 Intel Corporation
+#                    Mariusz Zaborski <oshogbo@invisiblethingslab.com>
+
+# pylint: disable=import-outside-toplevel
+
+import pytest
+
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
+
+@pytest.fixture
+def tmp_rsa_key(tmp_path):
+    from graminelibos.sgx_sign import (SGX_RSA_KEY_SIZE, SGX_RSA_PUBLIC_EXPONENT,
+        _cryptography_backend)
+    def gen_rsa_key(passphrase=None, key_size=SGX_RSA_KEY_SIZE):
+        key_path = tmp_path / 'key.pem'
+        with open(key_path, 'wb') as pfile:
+            key = rsa.generate_private_key(public_exponent=SGX_RSA_PUBLIC_EXPONENT,
+                key_size=key_size, backend=_cryptography_backend)
+
+            encryption_algorithm = serialization.NoEncryption()
+            if passphrase is not None:
+                encryption_algorithm = serialization.BestAvailableEncryption(passphrase)
+
+            private_key = key.private_bytes(encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.PKCS8, encryption_algorithm=
+                encryption_algorithm)
+            pfile.write(private_key)
+        return key_path
+    return gen_rsa_key
+
+# pylint: disable=too-many-arguments
+def verify_signature(data, exponent, modulus, signature, key_file, passphrase=None):
+    from graminelibos.sgx_sign import _cryptography_backend
+    private_key = serialization.load_pem_private_key(key_file.read(), password=passphrase,
+        backend=_cryptography_backend)
+
+    public_key = private_key.public_key()
+
+    numbers = public_key.public_numbers()
+    assert numbers.e == exponent
+    assert numbers.n == modulus
+    signature_bytes = signature.to_bytes((signature.bit_length() + 7) // 8, byteorder='big')
+    # This will raise a `cryptography.exceptions.InvalidSignature` exception
+    # if signature verification fails.
+    public_key.verify(signature_bytes, data, padding.PKCS1v15(), hashes.SHA256())
+
+# This test is omitted when Gramine is installed without SGX support because graminelibos.sgx_sign
+# is not installed in such case. This is also why we perform top-level import in this function.
+# pylint: disable=redefined-outer-name
+@pytest.mark.sgx
+def test_sign_from_pem_path(tmp_rsa_key):
+    from graminelibos.sgx_sign import sign_with_private_key_from_pem_path
+
+    data = b'lorem ipsum dolor sit amet consectetur adipiscing elit'
+
+    key_path = tmp_rsa_key()
+    with open(key_path, 'rb') as key_file:
+        exponent, modulus, signature = sign_with_private_key_from_pem_path(data, key_path)
+        verify_signature(data, exponent, modulus, signature, key_file)
+
+# This test is omitted when Gramine is installed without SGX support because graminelibos.sgx_sign
+# is not installed in such case. This is also why we perform top-level import in this function.
+# pylint: disable=redefined-outer-name
+@pytest.mark.sgx
+def test_sign_from_pem_path_with_passphrase(tmp_rsa_key):
+    from graminelibos.sgx_sign import sign_with_private_key_from_pem_path
+
+    data = b'lorem ipsum dolor sit amet consectetur adipiscing elit'
+    passphrase = b'randompassphrase'
+
+    key_path = tmp_rsa_key(passphrase)
+    with open(key_path, 'rb') as key_file:
+        exponent, modulus, signature = sign_with_private_key_from_pem_path(data, key_path,
+            passphrase)
+        verify_signature(data, exponent, modulus, signature, key_file, passphrase)