[attestation-service] Fix Bug In End-To-End SGX Tests

Author: csegarragonz

GEMINI.md

@@ -120,3 +120,25 @@ the sysroot container. To do so, you may use `accli` as follows:
 # To build/test applications.
 ./scripts/accli_wrapper.sh applications {build,test}
 ```
+
+For C++ code, only add block comments in header files (if present) and use
+doxygen-style documentation, e.g:
+
+```
+/**
+ * @brief Packs a FullKey from a vector of authorities and base64-encoded
+ * partial keys.
+ *
+ * This is an overload of packFullKey that accepts partial keys as
+ * base64-encoded strings. It decodes the keys and then calls the primary
+ * packFullKey function, finally returning a base64-encoded string of the packed
+ * key.
+ *
+ * @param authorities A const reference to a vector of authority strings.
+ * @param partial_keys_b64 A const reference to a vector of base64-encoded
+ * partial key strings.
+ * @return A std::string containing the base64-encoded serialized FullKey.
+ */
+std::string packFullKey(const std::vector<std::string> &authorities,
+                        const std::vector<std::string> &partial_keys_b64);
+```

accless/README.md

@@ -3,11 +3,11 @@
 To build:
 
 ```bash
-accli docker run --mount --cwd /code/accless/accless python3 build.py [-- --clean]
+accli accless build
 ```
 
 To test:
 
 ```bash
-accli docker run --mount --cwd /code/accless/accless/build-native  ctest -- --output-on-failure
+accli accless test
 ```

accless/libs/abe4/cpp-bindings/abe4.cpp

@@ -25,6 +25,23 @@ SetupOutput setup(const std::vector<std::string> &auths) {
     return {result_json["msk"], result_json["mpk"]};
 }
 
+SetupOutput setupPartial(const std::string &auth_id) {
+    char *result = setup_partial_abe4(auth_id.c_str());
+    if (!result) {
+        std::cerr
+            << "accless(abe4): FFI call to setup_partial_abe4 failed. See Rust "
+               "logs for details."
+            << std::endl;
+        throw std::runtime_error(
+            "accless(abe4): setup_partial_abe4 FFI call failed");
+    }
+
+    auto result_json = nlohmann::json::parse(result);
+    free_string(result);
+
+    return {result_json["msk"], result_json["mpk"]};
+}
+
 std::string keygen(const std::string &gid, const std::string &msk,
                    const std::vector<UserAttribute> &user_attrs) {
     nlohmann::json user_attrs_json = nlohmann::json::array();
@@ -49,6 +66,33 @@ std::string keygen(const std::string &gid, const std::string &msk,
     return usk_b64;
 }
 
+std::string keygenPartial(const std::string &gid,
+                          const std::string &partial_msk_b64,
+                          const std::vector<UserAttribute> &user_attrs) {
+    nlohmann::json user_attrs_json = nlohmann::json::array();
+    for (const auto &attr : user_attrs) {
+        user_attrs_json.push_back({{"authority", attr.authority},
+                                   {"label", attr.label},
+                                   {"attribute", attr.attribute}});
+    }
+
+    char *result = keygen_partial_abe4(gid.c_str(), partial_msk_b64.c_str(),
+                                       user_attrs_json.dump().c_str());
+    if (!result) {
+        std::cerr << "accless(abe4): FFI call to keygen_partial_abe4 failed. "
+                     "See Rust "
+                     "logs for details."
+                  << std::endl;
+        throw std::runtime_error(
+            "accless(abe4): keygen_partial_abe4 FFI call failed");
+    }
+
+    std::string partial_usk_b64(result);
+    free_string(result);
+
+    return partial_usk_b64;
+}
+
 EncryptOutput encrypt(const std::string &mpk, const std::string &policy) {
     char *result = encrypt_abe4(mpk.c_str(), policy.c_str());
     if (!result) {
@@ -136,11 +180,12 @@ packFullKey(const std::vector<std::string> &authorities,
                               pair.first.end());
 
         uint64_t key_len = pair.second.size();
-        full_key_bytes.insert(
-            full_key_bytes.end(), reinterpret_cast<const uint8_t *>(&key_len),
-            reinterpret_cast<const uint8_t *>(&key_len) + sizeof(uint64_t));
+        full_key_bytes.insert(full_key_bytes.end(),
+                              reinterpret_cast<const uint8_t *>(&key_len),
+                              reinterpret_cast<const uint8_t *>(&key_len) +
+                                  sizeof(uint64_t)); // 4. Partial key length
         full_key_bytes.insert(full_key_bytes.end(), pair.second.begin(),
-                              pair.second.end());
+                              pair.second.end()); // 5. Partial key bytes
     }
 
     return full_key_bytes;

accless/libs/abe4/cpp-bindings/abe4.h

@@ -14,6 +14,10 @@ char *keygen_abe4(const char *gid, const char *msk_b64,
 char *encrypt_abe4(const char *mpk_b64, const char *policy_str);
 char *decrypt_abe4(const char *usk_b64, const char *gid, const char *policy_str,
                    const char *ct_b64);
+char *setup_partial_abe4(const char *auth_id_cstr);
+char *keygen_partial_abe4(const char *gid_cstr,
+                          const char *partial_msk_b64_cstr,
+                          const char *user_attrs_json);
 
 } // extern "C"
 
@@ -36,6 +40,22 @@ struct UserAttribute {
 
 SetupOutput setup(const std::vector<std::string> &auths);
 
+/**
+ * @brief Generates a partial Master Secret Key (MSK) and a partial Master
+ * Public Key (MPK) for a single authority.
+ *
+ * This function acts as a C++ wrapper around the Rust `setup_partial` FFI
+ * function. It takes an authority ID, calls the Rust FFI function, parses the
+ * JSON output, and returns a `SetupOutput` struct containing the base64-encoded
+ * partial MSK and MPK.
+ *
+ * @param auth_id The unique identifier of the authority.
+ * @return A `SetupOutput` struct containing the base64-encoded partial MSK and
+ * MPK.
+ * @throws std::runtime_error on error.
+ */
+SetupOutput setupPartial(const std::string &auth_id);
+
 /**
  * @brief Generates a User Secret Key (USK) for a given global ID, Master Secret
  * Key (MSK), and a set of user attributes.
@@ -54,6 +74,28 @@ SetupOutput setup(const std::vector<std::string> &auths);
 std::string keygen(const std::string &gid, const std::string &msk,
                    const std::vector<UserAttribute> &user_attrs);
 
+/**
+ * @brief Generates a partial User Secret Key (USK) for a given global ID,
+ * partial Master Secret Key (MSK), and a set of user attributes.
+ *
+ * This function acts as a C++ wrapper around the Rust `keygen_partial` FFI
+ * function. It takes the group ID, a base64 encoded partial Master Secret Key,
+ * and a vector of UserAttribute objects. It serializes the user attributes to
+ * JSON, calls the Rust FFI function, and returns the base64 encoded partial
+ * User Secret Key.
+ *
+ * @param gid The group ID for which the partial USK is to be generated.
+ * @param partial_msk_b64 A base64 encoded string representing the partial
+ * Master Secret Key.
+ * @param user_attrs A vector of UserAttribute objects associated with the user.
+ * @return A base64 encoded string representing the generated partial User
+ * Secret Key (USK).
+ * @throws std::runtime_error on error.
+ */
+std::string keygenPartial(const std::string &gid,
+                          const std::string &partial_msk_b64,
+                          const std::vector<UserAttribute> &user_attrs);
+
 /**
  * @brief Encrypts a message using the Master Public Key (MPK) and a policy.
  *

accless/libs/abe4/cpp-bindings/tests.cpp

@@ -121,33 +121,47 @@ TEST(Abe4Test, PackFullKey) {
     EXPECT_EQ(packed_mpk_b64, setup_output.mpk);
 }
 
-TEST(Abe4Test, EndToEndSingleAuthority) {
-    std::string auth = "auth1";
-    accless::abe4::SetupOutput setup_output = accless::abe4::setup({auth});
-    ASSERT_FALSE(setup_output.msk.empty());
-    ASSERT_FALSE(setup_output.mpk.empty());
-
+TEST(Abe4Test, EndToEndSingleAuthorityPartial) {
+    std::string auth_id = "TEST_AUTH_ID";
     std::string gid = "test_gid";
     std::string wfId = "foo";
     std::string nodeId = "bar";
 
+    // 1. Setup partial keys
+    accless::abe4::SetupOutput partial_setup_output =
+        accless::abe4::setupPartial(auth_id);
+    ASSERT_FALSE(partial_setup_output.msk.empty());
+    ASSERT_FALSE(partial_setup_output.mpk.empty());
+
+    // 2. Keygen partial USK
+    std::vector<accless::abe4::UserAttribute> user_attrs = {
+        {auth_id, "wf", wfId}, {auth_id, "node", nodeId}};
+    std::string partial_usk_b64 =
+        accless::abe4::keygenPartial(gid, partial_setup_output.msk, user_attrs);
+    ASSERT_FALSE(partial_usk_b64.empty());
+
+    // 3. Pack full MPK
+    std::string mpk =
+        accless::abe4::packFullKey({auth_id}, {partial_setup_output.mpk});
+    ASSERT_FALSE(mpk.empty());
+
+    // 4. Pack full USK
+    std::string usk = accless::abe4::packFullKey({auth_id}, {partial_usk_b64});
+    ASSERT_FALSE(usk.empty());
+
+    // 5. Define policy
     std::string policy =
-        auth + ".wf:" + wfId + " & " + auth + ".node:" + nodeId;
+        auth_id + ".wf:" + wfId + " & " + auth_id + ".node:" + nodeId;
 
+    // 6. Encrypt
     accless::abe4::EncryptOutput encrypt_output =
-        accless::abe4::encrypt(setup_output.mpk, policy);
+        accless::abe4::encrypt(mpk, policy);
     ASSERT_FALSE(encrypt_output.gt.empty());
     ASSERT_FALSE(encrypt_output.ciphertext.empty());
 
-    std::vector<accless::abe4::UserAttribute> user_attrs = {
-        {auth, "wf", wfId}, {auth, "node", nodeId}};
-
-    std::string usk_b64 =
-        accless::abe4::keygen(gid, setup_output.msk, user_attrs);
-    ASSERT_FALSE(usk_b64.empty());
-
+    // 7. Decrypt
     std::optional<std::string> decrypted_gt =
-        accless::abe4::decrypt(usk_b64, gid, policy, encrypt_output.ciphertext);
+        accless::abe4::decrypt(usk, gid, policy, encrypt_output.ciphertext);
     ASSERT_TRUE(decrypted_gt.has_value());
     EXPECT_EQ(decrypted_gt.value(), encrypt_output.gt);
 }