test: add test on new sign actions

crate/cli/src/tests/kms/attributes/get.rs

@@ -1,6 +1,7 @@
 use std::{collections::HashMap, process::Command};
 
 use assert_cmd::cargo::CommandCargoExt;
+use clap::ValueEnum;
 use cosmian_kms_cli::reexport::cosmian_kms_client::{
     kmip_2_1::kmip_types::Tag, reexport::cosmian_kms_client_utils::attributes_utils::CLinkType,
 };
@@ -46,7 +47,12 @@ pub(crate) fn get_attributes(
 
     for link_type in attribute_link_types {
         args.push("--link-type".to_owned());
-        args.push(link_type.to_string());
+        let name = link_type
+            .to_possible_value()
+            .expect("valid CLinkType")
+            .get_name()
+            .to_string();
+        args.push(name);
     }
 
     let mut cmd = Command::cargo_bin(PROG_NAME)?;

crate/cli/src/tests/kms/certificates/certify.rs

@@ -1,6 +1,7 @@
 use std::{path::PathBuf, process::Command};
 
 use assert_cmd::cargo::CommandCargoExt;
+use clap::ValueEnum;
 use cosmian_kms_cli::reexport::cosmian_kms_client::{
     cosmian_kmip::{
         kmip_2_1::{kmip_objects::Object, kmip_types::LinkType},
@@ -91,7 +92,12 @@ pub(crate) fn certify(cli_conf_path: &str, certify_op: CertifyOp) -> CosmianResu
     }
     if let Some(algorithm) = certify_op.algorithm {
         args.push("--algorithm".to_owned());
-        args.push(algorithm.to_string());
+        let name = algorithm
+            .to_possible_value()
+            .expect("valid Algorithm")
+            .get_name()
+            .to_string();
+        args.push(name);
     }
     if let Some(certificate_id) = certify_op.certificate_id {
         args.push("--certificate-id".to_owned());

crate/cli/src/tests/kms/derive_key/derive_key_tests.rs

@@ -1,6 +1,7 @@
 use std::process::Command;
 
 use assert_cmd::prelude::*;
+use clap::ValueEnum;
 use cosmian_kms_cli::{
     actions::kms::{
         derive_key::DeriveKeyAction, mac::CHashingAlgorithm,
@@ -43,7 +44,12 @@ pub(crate) fn derive_key(cli_conf_path: &str, action: DeriveKeyAction) -> Cosmia
     let mut args: Vec<String> = vec![
         // Algorithm and length are explicit to avoid relying on defaults
         "--algorithm".to_owned(),
-        action.algorithm.to_string(),
+        action
+            .algorithm
+            .to_possible_value()
+            .expect("possible value")
+            .get_name()
+            .to_string(),
         "--length".to_owned(),
         action.cryptographic_length.to_string(),
         "--derivation-method".to_owned(),

crate/cli/src/tests/kms/elliptic_curve/mod.rs

@@ -2,6 +2,7 @@
 pub(crate) mod create_key_pair;
 #[cfg(feature = "non-fips")]
 pub(crate) mod encrypt_decrypt;
+pub(crate) mod sign_verify;
 
 #[cfg(feature = "non-fips")]
 pub(crate) const SUB_COMMAND: &str = "ec";

crate/cli/src/tests/kms/elliptic_curve/sign_verify.rs

@@ -0,0 +1,125 @@
+use std::{fs, path::PathBuf, process::Command};
+
+use assert_cmd::prelude::*;
+use tempfile::TempDir;
+use test_kms_server::start_default_test_kms_server;
+
+use super::SUB_COMMAND;
+use crate::{
+    config::COSMIAN_CLI_CONF_ENV,
+    error::{CosmianError, result::CosmianResult},
+    tests::{
+        PROG_NAME,
+        kms::{
+            KMS_SUBCOMMAND, elliptic_curve::create_key_pair::create_ec_key_pair,
+            utils::recover_cmd_logs,
+        },
+        save_kms_cli_config,
+    },
+};
+
+/// Sign a file using EC keys via CLI
+fn ec_sign(
+    cli_conf_path: &str,
+    input_file: &str,
+    key_id: &str,
+    output_file: Option<&str>,
+    digested: bool,
+) -> CosmianResult<()> {
+    let mut cmd = Command::cargo_bin(PROG_NAME)?;
+    cmd.env(COSMIAN_CLI_CONF_ENV, cli_conf_path);
+
+    let mut args = vec!["sign", input_file, "--key-id", key_id];
+    if digested {
+        args.push("--digested");
+    }
+    if let Some(output_file) = output_file {
+        args.push("-o");
+        args.push(output_file);
+    }
+
+    cmd.arg(KMS_SUBCOMMAND).arg(SUB_COMMAND).args(args);
+    let output = recover_cmd_logs(&mut cmd);
+    if output.status.success() {
+        let stdout = std::str::from_utf8(&output.stdout)?;
+        assert!(stdout.contains("Signature written to"));
+        return Ok(());
+    }
+
+    Err(CosmianError::Default(
+        std::str::from_utf8(&output.stderr)?.to_owned(),
+    ))
+}
+
+/// Verify a signature using EC keys via CLI
+fn ec_sign_verify(
+    cli_conf_path: &str,
+    data_file: &str,
+    signature_file: &str,
+    key_id: &str,
+    digested: bool,
+) -> CosmianResult<()> {
+    let mut cmd = Command::cargo_bin(PROG_NAME)?;
+    cmd.env(COSMIAN_CLI_CONF_ENV, cli_conf_path);
+
+    let mut args = vec!["sign-verify", data_file, signature_file, "--key-id", key_id];
+    if digested {
+        args.push("--digested");
+    }
+
+    cmd.arg(KMS_SUBCOMMAND).arg(SUB_COMMAND).args(args);
+    let output = recover_cmd_logs(&mut cmd);
+    if output.status.success() {
+        let stdout = std::str::from_utf8(&output.stdout)?;
+        assert!(stdout.contains("Signature verification is Valid"));
+        return Ok(());
+    }
+
+    Err(CosmianError::Default(
+        std::str::from_utf8(&output.stderr)?.to_owned(),
+    ))
+}
+
+#[tokio::test]
+async fn ecdsa_digested_sign_verify_cli() -> CosmianResult<()> {
+    let ctx = start_default_test_kms_server().await;
+    let (owner_client_conf_path, _) = save_kms_cli_config(ctx);
+
+    // create a temp dir
+    let tmp_dir = TempDir::new()?;
+    let tmp_path = tmp_dir.path();
+
+    let input_file = PathBuf::from("../../test_data/plain.txt");
+    let digest_file = tmp_path.join("plain.sha256");
+    let sig_file = tmp_path.join("plain.sha256.ec.sig");
+
+    // compute SHA-256 digest of input and write to digest_file
+    let data = std::fs::read(&input_file)?;
+    let digest = openssl::sha::sha256(&data);
+    std::fs::write(&digest_file, digest)?;
+
+    let (private_key_id, public_key_id) =
+        create_ec_key_pair(&owner_client_conf_path, "nist-p256", &[], false)?;
+
+    // Sign digested input
+    fs::remove_file(&sig_file).ok();
+    ec_sign(
+        &owner_client_conf_path,
+        digest_file.to_str().unwrap(),
+        &private_key_id,
+        Some(sig_file.to_str().unwrap()),
+        true,
+    )?;
+    assert!(sig_file.exists());
+
+    // Verify digested input
+    ec_sign_verify(
+        &owner_client_conf_path,
+        digest_file.to_str().unwrap(),
+        sig_file.to_str().unwrap(),
+        &public_key_id,
+        true,
+    )?;
+
+    Ok(())
+}

crate/cli/src/tests/kms/rsa/encrypt_decrypt.rs

@@ -1,6 +1,7 @@
 use std::{collections::HashSet, fs, path::PathBuf, process::Command};
 
 use assert_cmd::prelude::*;
+use clap::ValueEnum;
 use cosmian_kms_cli::reexport::cosmian_kms_client::{
     read_bytes_from_file,
     reexport::cosmian_kms_client_utils::rsa_utils::{HashFn, RsaEncryptionAlgorithm},
@@ -43,9 +44,20 @@ pub(crate) fn encrypt(
     args.push("--key-id");
     args.push(public_key_id);
     args.push("--encryption-algorithm");
-    let encryption_algorithm = encryption_algorithm.to_string();
+    let encryption_algorithm = encryption_algorithm
+        .to_possible_value()
+        .expect("valid RSA algorithm")
+        .get_name()
+        .to_string();
     args.push(&encryption_algorithm);
-    let hash_fn_s = hash_fn.map(|h| h.to_string()).unwrap_or_default();
+    let hash_fn_s = hash_fn
+        .map(|h| {
+            h.to_possible_value()
+                .expect("valid hash")
+                .get_name()
+                .to_string()
+        })
+        .unwrap_or_default();
     if hash_fn.is_some() {
         args.push("--hashing-algorithm");
         args.push(&hash_fn_s);
@@ -81,9 +93,20 @@ pub(crate) fn decrypt(
 
     let mut args = vec!["decrypt", input_file, "--key-id", private_key_id];
     args.push("--encryption-algorithm");
-    let encryption_algorithm = encryption_algorithm.to_string();
+    let encryption_algorithm = encryption_algorithm
+        .to_possible_value()
+        .expect("valid RSA algorithm")
+        .get_name()
+        .to_string();
     args.push(&encryption_algorithm);
-    let hash_fn_str = hash_fn.map(|h| h.to_string()).unwrap_or_default();
+    let hash_fn_str = hash_fn
+        .map(|h| {
+            h.to_possible_value()
+                .expect("valid hash")
+                .get_name()
+                .to_string()
+        })
+        .unwrap_or_default();
     if hash_fn.is_some() {
         args.push("--hashing-algorithm");
         args.push(&hash_fn_str);

crate/cli/src/tests/kms/rsa/mod.rs

@@ -2,6 +2,7 @@
 pub(crate) mod create_key_pair;
 #[cfg(feature = "non-fips")]
 pub(crate) mod encrypt_decrypt;
+pub(crate) mod sign_verify;
 
 #[cfg(feature = "non-fips")]
 pub(crate) const SUB_COMMAND: &str = "rsa";