When using other key types (e.g. RSA) nitro-cli will panic:
$ sudo nitro-cli build-enclave --docker-uri <dockeruri> --output-file test.eif --private-key rsa.pem --signing-certificate cert.pem
Start building the Enclave Image...
Using the locally available Docker image...
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: UnsupportedError("Non-EC keys are not supported")', /builddir/build/BUILD/aws-nitro-enclaves-cli-1.3.1/crates-dependencies/aws-nitro-enclaves-image-format/src/utils/mod.rs:298:18
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
For signing enclave images
nitro-cli
supports signatures using ECDSA as supported by COSE Sign1 (described in the RFC8152).The implementation for that is in https://github.com/awslabs/aws-nitro-enclaves-cose
When using other key types (e.g. RSA)
nitro-cli
will panic:The error is actually created in https://github.com/awslabs/aws-nitro-enclaves-cose/blob/main/src/crypto/openssl_pkey.rs#L62 and not properly propagated up through https://github.com/aws/aws-nitro-enclaves-image-format/blob/main/src/utils/mod.rs#L297-L301 to fail gracefully and provide a proper error message.
Further, this constraint on signing key types is not documented appropriately and needs to be called out.