Closed jfallows closed 2 years ago
Hi again and thanks for having a look into this.
Indeed, as the script doc states, this can be executed only on an EC2 instance where you have an ACM enclave (production or debug mode) and setup accordingly. Unfortunately, in the simulated environment we did not mock the KMS decrypt path when you provision the token in the codebase enclave-side. That is, when you provision a token, it will try to access KMS endpoint based on KMS key ID and region (i.e. https://github.com/aws/aws-nitro-enclaves-acm/blob/main/src/vtok_srv/src/worker.rs#L74)
The test suite is executed against a provisioned token with the keys present in the test
directory.
Thus you could only run it on your instance.
[ec2-user@<instance-ip>~]$ ./tests/testtool openssl --kms-key-id <your-kms-key-id> --kms-region <your-kms-region>
Running Sign&verify tests
Running RSA-PSS Sign&Verify tests using openssl
test_openssl_digestsignverify_rsapss_rsa1024_0B_0_sha1
test_openssl_digestsignverify_rsapss_rsa1024_0B_0_sha1 ............... PASSED
test_openssl_digestsignverify_rsapss_rsa1024_0B_1_sha1
...
Running RSA RAW Encrypt&Decrypt (x509) tests using openssl
test_openssl_encryptdecrypt_rsa_x509_rsa4096_512B
test_openssl_encryptdecrypt_rsa_x509_rsa4096_512B .................... PASSED
740 tests passed, 0 tests failed
Please let me know if this answers your question.
Resolving the issue as answered.
I have run into some issues while following the instructions in the README on how to build locally and test in the development environment.
Building
The command in
devtools
producing this error seems to be at line299
:In my case, the actual command being executed was:
Checking the output of the command:
Attempting to verify docker is working as expected on container:
So looks like a permission error on the bind mount for
/var/run/docker.sock
.Attempted workaround:
Attempt to continue with build after applying workaround:
Progress!
Testing
Looks good, left that running and started a separate shell to continue.
This warning about the enclave container not running is confusing because it is definitely already started. In fact, if I stop the enclave container, then this message does not print. IIUC, then the logic in the
devtools
script may be inverted at line583
.perhaps should be
if we want the warning to be presented only when
$ctr_id
is empty.In any case, this warning does not prevent progress, leaving the simulated parent container running.
Attempting to continue to follow the instructions from README.md from inside the simulated parent container.
This seemed to indicate that the token has not been provisioned yet.
Confirmed, no tokens, but simulated enclave is reachable from simulated parent.
Attempted to continue with running tests per README.md.
This description implies being applicable for both development enclaves and real enclaves, and references the
tests
directory from repo, so attempted to run that from my OSX host environment.Realized this script does not implicitly run a docker container, so should not be executed from host environment.
Instead, a comment at the top of
./tests/testtool
says:Due to the mention of EC2, it is now unclear if these tests can actually be run against a development enclave using the local docker setup.
Copying the tests directory onto the simulated parent and running
testtool
from there gives:Would appreciate some guidance on how to run the openssl tests using local docker development environment please.