From 3499f4b05f1c568f05dfaf5170ae23d07cc4db2a Mon Sep 17 00:00:00 2001 From: Eugene Koira Date: Fri, 12 Apr 2024 15:57:14 +0000 Subject: [PATCH] KMS signing support Signed-off-by: Eugene Koira --- Cargo.toml | 3 + enclave_build/src/lib.rs | 27 +++----- enclave_build/src/main.rs | 42 ++++++++++-- src/common/commands_parser.rs | 65 +++++++++++++----- src/lib.rs | 44 ++++++++---- tests/test_nitro_cli_args.rs | 50 +++++++++++++- tests/tests.rs | 122 +++++++++++++++------------------- 7 files changed, 232 insertions(+), 121 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index f90859cca..bf03a534c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,6 +28,9 @@ vsock = "0.3" vmm-sys-util = "0.12.1" sha2 = "0.9.5" hex = "0.4" +aws-config = "0.55" +tokio = { version = "1.20", features = ["rt-multi-thread"] } +aws-types = "0.55" lazy_static = "1.4.0" diff --git a/enclave_build/src/lib.rs b/enclave_build/src/lib.rs index 66069b48b..302928c87 100644 --- a/enclave_build/src/lib.rs +++ b/enclave_build/src/lib.rs @@ -1,4 +1,4 @@ -// Copyright 2019-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 #![allow(clippy::too_many_arguments)] @@ -12,7 +12,7 @@ mod yaml_generator; use aws_nitro_enclaves_image_format::defs::{EifBuildInfo, EifIdentityInfo, EIF_HDR_ARCH_ARM64}; use aws_nitro_enclaves_image_format::utils::identity::parse_custom_metadata; -use aws_nitro_enclaves_image_format::utils::{EifBuilder, SignEnclaveInfo}; +use aws_nitro_enclaves_image_format::utils::{EifBuilder, SignKeyDataInfo, SignKeyData}; use docker::DockerUtil; use serde_json::json; use sha2::Digest; @@ -31,7 +31,7 @@ pub struct Docker2Eif<'a> { linuxkit_path: String, artifacts_prefix: String, output: &'a mut File, - sign_info: Option, + sign_info: Option, img_name: Option, img_version: Option, metadata_path: Option, @@ -68,8 +68,7 @@ impl<'a> Docker2Eif<'a> { linuxkit_path: String, output: &'a mut File, artifacts_prefix: String, - certificate_path: &Option, - key_path: &Option, + sign_info: &Option, img_name: Option, img_version: Option, metadata_path: Option, @@ -98,15 +97,6 @@ impl<'a> Docker2Eif<'a> { } } - let sign_info = match (certificate_path, key_path) { - (None, None) => None, - (Some(cert_path), Some(key_path)) => Some( - SignEnclaveInfo::new(cert_path, key_path) - .map_err(|err| Docker2EifError::SignImageError(format!("{err:?}")))?, - ), - _ => return Err(Docker2EifError::SignArgsError), - }; - Ok(Docker2Eif { docker_image, docker, @@ -117,7 +107,7 @@ impl<'a> Docker2Eif<'a> { linuxkit_path, output, artifacts_prefix, - sign_info, + sign_info: sign_info.clone(), img_name, img_version, metadata_path, @@ -275,10 +265,15 @@ impl<'a> Docker2Eif<'a> { _ => return Err(Docker2EifError::UnsupportedArchError), }; + let sign_data = self.sign_info.as_ref().map( + |info| SignKeyData::new(info)) + .transpose() + .map_err(|err| Docker2EifError::SignImageError(format!("{:?}", err)))?; + let mut build = EifBuilder::new( Path::new(&self.kernel_img_path), self.cmdline.clone(), - self.sign_info.clone(), + sign_data, sha2::Sha384::new(), flags, self.generate_identity_info()?, diff --git a/enclave_build/src/main.rs b/enclave_build/src/main.rs index 0a5ac5dae..5b546f0cd 100644 --- a/enclave_build/src/main.rs +++ b/enclave_build/src/main.rs @@ -1,10 +1,11 @@ -// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 use clap::{App, AppSettings, Arg}; use std::fs::OpenOptions; use aws_nitro_enclaves_image_format::generate_build_info; +use aws_nitro_enclaves_image_format::utils::{ SignKeyDataInfo, SignKeyInfo }; use enclave_build::Docker2Eif; fn main() { @@ -86,6 +87,18 @@ fn main() { .help("Specify the path to the private-key") .takes_value(true), ) + .arg( + Arg::with_name("kms-key-id") + .long("kms-key-id") + .help("Specify id of the KMS key") + .takes_value(true), + ) + .arg( + Arg::with_name("kms-key-region") + .long("kms-key-region") + .help("Specify region in which the KMS key resides") + .takes_value(true), + ) .arg( Arg::with_name("build") .short('b') @@ -133,9 +146,29 @@ fn main() { let signing_certificate = matches .value_of("signing_certificate") .map(|val| val.to_string()); - let private_key = matches - .value_of("private_certificate") + let kms_key_id = matches.value_of("kms-key-id"); + let kms_key_region = matches.value_of("kms-key-region"); + let private_key_path = matches + .value_of("private_key") .map(|val| val.to_string()); + + let sign_key_info = match (signing_certificate, kms_key_id, private_key_path) { + (None, None, None) => None, + (Some(cert_path), None, Some(key_path)) => + Some(SignKeyDataInfo { + cert_path: cert_path.to_string(), + key_info: SignKeyInfo::LocalPrivateKeyInfo { path: key_path.to_string() } + }), + (Some(cert_path), Some(key_id), None) => + Some(SignKeyDataInfo { + cert_path: cert_path.to_string(), + key_info: SignKeyInfo::KmsKeyInfo { id: key_id.to_string(), region: kms_key_region.map(str::to_string) } + }), + (Some(_), None, None) => panic!("signing-certificate can be used only together with kms-key-id or private-key parameters"), + (None, Some(_), None) => panic!("signing-certificate is required together with kms-key-id parameters"), + (None, None, Some(_)) => panic!("signing-certificate is required together with private-key parameters"), + (_, Some(_), Some(_)) => panic!("kms-key-id and private-key parameters are mutually exclusive") + }; let img_name = matches.value_of("image_name").map(|val| val.to_string()); let img_version = matches.value_of("image_version").map(|val| val.to_string()); let metadata = matches.value_of("metadata").map(|val| val.to_string()); @@ -157,8 +190,7 @@ fn main() { linuxkit_path.to_string(), &mut output, ".".to_string(), - &signing_certificate, - &private_key, + &sign_key_info, img_name, img_version, metadata, diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs index 0da9a7a1b..ddad55c05 100644 --- a/src/common/commands_parser.rs +++ b/src/common/commands_parser.rs @@ -1,8 +1,9 @@ -// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 #![deny(missing_docs)] #![deny(warnings)] +use aws_nitro_enclaves_image_format::utils::{SignKeyInfo, SignKeyDataInfo}; use clap::ArgMatches; use libc::VMADDR_CID_HOST; #[cfg(test)] @@ -104,10 +105,8 @@ pub struct BuildEnclavesArgs { pub docker_dir: Option, /// The path where the enclave image file will be written to. pub output: String, - /// The path to the signing certificate for signed enclaves. - pub signing_certificate: Option, - /// The path to the private key for signed enclaves. - pub private_key: Option, + /// Details of key and certificate used for signing the EIF + pub sign_info: Option, /// The name of the enclave image. pub img_name: Option, /// The version of the enclave image. @@ -121,23 +120,46 @@ impl BuildEnclavesArgs { pub fn new_with(args: &ArgMatches) -> NitroCliResult { let signing_certificate = parse_signing_certificate(args); let private_key = parse_private_key(args); - - match (&signing_certificate, &private_key) { - (Some(_), None) => { + let kms_key_id = parse_kms_key_id(args); + let kms_key_region = parse_kms_key_region(args); + + let sign_info = match (signing_certificate, kms_key_id, private_key) { + (None, None, None) => None, + (Some(cert_path), None, Some(key_path)) => + Some(SignKeyDataInfo { + cert_path: cert_path.to_string(), + key_info: SignKeyInfo::LocalPrivateKeyInfo { path: key_path.to_string() } + }), + (Some(cert_path), Some(key_id), None) => + Some(SignKeyDataInfo { + cert_path: cert_path.to_string(), + key_info: SignKeyInfo::KmsKeyInfo { + id: key_id.to_string(), + region: kms_key_region + } + }), + (Some(_), None, None) => + return Err(new_nitro_cli_failure!( + "`private-key` or `kms-key-id` argument not found", + NitroCliErrorEnum::MissingArgument + )), + (None, Some(_), None) => return Err(new_nitro_cli_failure!( - "`private-key` argument not found", + "`signing-certificate` argument not found while `kms-key-id` is provided", NitroCliErrorEnum::MissingArgument ) - .add_info(vec!["private-key"])) - } - (None, Some(_)) => { + .add_info(vec!["signing-certificate"])), + (None, None, Some(_)) => return Err(new_nitro_cli_failure!( - "`signing-certificate` argument not found", + "`signing-certificate` argument not found while `private-key` is provided", NitroCliErrorEnum::MissingArgument ) - .add_info(vec!["signing-certificate"])) - } - _ => (), + .add_info(vec!["signing-certificate"])), + (_, Some(_), Some(_)) => + return Err(new_nitro_cli_failure!( + "`kms-key-id` and `private-key` parameters are mutually exclusive", + NitroCliErrorEnum::ConflictingArgument + )) }; Ok(BuildEnclavesArgs { @@ -156,8 +178,7 @@ impl BuildEnclavesArgs { ) .add_info(vec!["output"]) })?, - signing_certificate, - private_key, + sign_info, img_name: parse_image_name(args), img_version: parse_image_version(args), metadata: parse_metadata(args), @@ -572,6 +593,14 @@ fn parse_error_code_str(args: &ArgMatches) -> NitroCliResult { Ok(error_code_str.to_string()) } +fn parse_kms_key_region(args: &ArgMatches) -> Option { + args.value_of("kms-key-region").map(|val| val.to_string()) +} + +fn parse_kms_key_id(args: &ArgMatches) -> Option { + args.value_of("kms-key-id").map(|val| val.to_string()) +} + #[cfg(test)] mod tests { use super::*; diff --git a/src/lib.rs b/src/lib.rs index 169e64b04..ad10d7883 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,4 +1,4 @@ -// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 #![deny(missing_docs)] #![deny(warnings)] @@ -17,6 +17,7 @@ pub mod utils; use aws_nitro_enclaves_image_format::defs::eif_hasher::EifHasher; use aws_nitro_enclaves_image_format::utils::eif_reader::EifReader; +use aws_nitro_enclaves_image_format::utils::SignKeyDataInfo; use aws_nitro_enclaves_image_format::{generate_build_info, utils::get_pcrs}; use log::{debug, info}; use sha2::{Digest, Sha384}; @@ -56,8 +57,7 @@ pub fn build_enclaves(args: BuildEnclavesArgs) -> NitroCliResult<()> { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -71,8 +71,7 @@ pub fn build_from_docker( docker_uri: &str, docker_dir: &Option, output_path: &str, - signing_certificate: &Option, - private_key: &Option, + sign_info: &Option, img_name: &Option, img_version: &Option, metadata_path: &Option, @@ -134,8 +133,7 @@ pub fn build_from_docker( format!("{}/linuxkit", blobs_path), &mut file_output, artifacts_path()?, - signing_certificate, - private_key, + sign_info, img_name.clone(), img_version.clone(), metadata_path.clone(), @@ -736,12 +734,6 @@ macro_rules! create_app { .help("Local path to developer's X509 signing certificate.") .takes_value(true), ) - .arg( - Arg::with_name("private-key") - .long("private-key") - .help("Local path to developer's Eliptic Curve private key.") - .takes_value(true), - ) .arg( Arg::with_name("image_name") .long("name") @@ -759,6 +751,30 @@ macro_rules! create_app { .long("metadata") .help("Path to JSON containing the custom metadata provided by the user.") .takes_value(true), + ) + .arg( + Arg::with_name("private-key") + .long("private-key") + .help("Local path to developer's Eliptic Curve private key.") + .takes_value(true) + .conflicts_with("kms-key-id") + .conflicts_with("kms-key-region"), + ) + .arg( + Arg::with_name("kms-key-region") + .long("kms-key-region") + .help("The region in which the KMS key resides.") + .takes_value(true) + .required(false) + .conflicts_with("private-key"), + ) + .arg( + Arg::with_name("kms-key-id") + .long("kms-key-id") + .help("The KMS key ID") + .takes_value(true) + .required(false) + .conflicts_with("private-key"), ), ) .subcommand( @@ -839,5 +855,5 @@ macro_rules! create_app { .required(true), ), ) - }; + }; } diff --git a/tests/test_nitro_cli_args.rs b/tests/test_nitro_cli_args.rs index e68f625b0..fd2641f7c 100644 --- a/tests/test_nitro_cli_args.rs +++ b/tests/test_nitro_cli_args.rs @@ -1,4 +1,4 @@ -// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 #![deny(warnings)] @@ -650,4 +650,52 @@ mod test_nitro_cli_args { assert!(app.get_matches_from_safe(args).is_ok()) } + + #[test] + fn build_kms_signed_enclave_correct_command() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "build-enclave", + "--docker-uri", + "dkr.ecr.us-east-1.amazonaws.com/stronghold-develss", + "--docker-dir", + "dir/", + "--output-file", + "image.eif", + "--signing-certificate", + "cert.pem", + "--kms-key-id", + "a23f54c8-b2ce-1a5c-a2db-f444a5b3d22d", + "--kms-key-region", + "eu-west-1", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), false) + } + + #[test] + fn build_kms_signed_enclave_conflicting_arguments() { + let app = create_app!(); + let args = vec![ + "nitro cli", + "build-enclave", + "--docker-uri", + "dkr.ecr.us-east-1.amazonaws.com/stronghold-develss", + "--docker-dir", + "dir/", + "--output-file", + "image.eif", + "--signing-certificate", + "cert.pem", + "--kms-key-id", + "a23f54c8-b2ce-1a5c-a2db-f444a5b3d22d", + "--kms-key-region", + "eu-west-1", + "--private-key", + "key.pem", + ]; + + assert_eq!(app.get_matches_from_safe(args).is_err(), true) + } } diff --git a/tests/tests.rs b/tests/tests.rs index 9f26050c8..f64a65bba 100644 --- a/tests/tests.rs +++ b/tests/tests.rs @@ -1,4 +1,4 @@ -// Copyright 2019-2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. +// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 #![deny(warnings)] @@ -20,6 +20,7 @@ mod tests { new_enclave_name, }; use nitro_cli::{CID_TO_CONSOLE_PORT_OFFSET, VMADDR_CID_HYPERVISOR}; + use aws_nitro_enclaves_image_format::utils::{ SignKeyInfo, SignKeyDataInfo }; use serde_json::json; use std::convert::TryInto; use std::fs::{File, OpenOptions}; @@ -79,8 +80,7 @@ mod tests { docker_uri: "667861386598.dkr.ecr.us-east-1.amazonaws.com/enclaves-devel".to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -98,8 +98,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -109,8 +108,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -140,8 +138,7 @@ mod tests { docker_uri: "hello-world:latest".to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -151,8 +148,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -169,8 +165,7 @@ mod tests { docker_uri: COMMAND_EXECUTER_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -180,8 +175,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -244,8 +238,12 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path, - signing_certificate: Some(cert_path), - private_key: Some(key_path), + sign_info: Some(SignKeyDataInfo { + cert_path: cert_path, + key_info: SignKeyInfo::LocalPrivateKeyInfo { + path: key_path, + } + }), img_name: None, img_version: None, metadata: None, @@ -255,8 +253,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -287,8 +284,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -298,8 +294,7 @@ mod tests { &build_args.docker_uri, &build_args.docker_dir, &build_args.output, - &build_args.signing_certificate, - &build_args.private_key, + &build_args.sign_info, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -333,8 +328,12 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path, - signing_certificate: Some(cert_path), - private_key: Some(key_path), + sign_info: Some(SignKeyDataInfo { + cert_path, + key_info: SignKeyInfo::LocalPrivateKeyInfo { + path: key_path, + } + }), img_name: None, img_version: None, metadata: None, @@ -344,8 +343,7 @@ mod tests { &build_args.docker_uri, &build_args.docker_dir, &build_args.output, - &build_args.signing_certificate, - &build_args.private_key, + &build_args.sign_info, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -374,8 +372,7 @@ mod tests { docker_uri: COMMAND_EXECUTER_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -385,8 +382,7 @@ mod tests { &build_args.docker_uri, &build_args.docker_dir, &build_args.output, - &build_args.signing_certificate, - &build_args.private_key, + &build_args.sign_info, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -481,8 +477,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -492,8 +487,7 @@ mod tests { &build_args.docker_uri, &build_args.docker_dir, &build_args.output, - &build_args.signing_certificate, - &build_args.private_key, + &build_args.sign_info, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -523,8 +517,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -534,8 +527,7 @@ mod tests { &build_args.docker_uri, &build_args.docker_dir, &build_args.output, - &build_args.signing_certificate, - &build_args.private_key, + &build_args.sign_info, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -585,8 +577,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -596,8 +587,7 @@ mod tests { &build_args.docker_uri, &build_args.docker_dir, &build_args.output, - &build_args.signing_certificate, - &build_args.private_key, + &build_args.sign_info, &build_args.img_name, &build_args.img_version, &build_args.metadata, @@ -675,8 +665,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -686,8 +675,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -766,8 +754,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: Some("TestName".to_string()), img_version: Some("1.0".to_string()), metadata: Some(meta_path.to_str().unwrap().to_string()), @@ -777,8 +764,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -860,8 +846,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -871,8 +856,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -959,8 +943,7 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path.to_str().unwrap().to_string(), - signing_certificate: None, - private_key: None, + sign_info: None, img_name: None, img_version: None, metadata: None, @@ -970,8 +953,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -1001,8 +983,12 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path, - signing_certificate: Some(cert_path), - private_key: Some(key_path), + sign_info: Some(SignKeyDataInfo { + cert_path, + key_info: SignKeyInfo::LocalPrivateKeyInfo { + path: key_path, + } + }), img_name: None, img_version: None, metadata: None, @@ -1012,8 +998,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata, @@ -1043,8 +1028,12 @@ mod tests { docker_uri: SAMPLE_DOCKER.to_string(), docker_dir: None, output: eif_path, - signing_certificate: Some(cert_path.clone()), - private_key: Some(key_path), + sign_info: Some(SignKeyDataInfo { + cert_path: cert_path.clone(), + key_info: SignKeyInfo::LocalPrivateKeyInfo { + path: key_path, + } + }), img_name: None, img_version: None, metadata: None, @@ -1054,8 +1043,7 @@ mod tests { &args.docker_uri, &args.docker_dir, &args.output, - &args.signing_certificate, - &args.private_key, + &args.sign_info, &args.img_name, &args.img_version, &args.metadata,