-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor: refactor envelope and signer to support cose (#73)
Signed-off-by: Binbin Li <[email protected]>
- Loading branch information
Showing
16 changed files
with
2,268 additions
and
911 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
package signature | ||
|
||
import ( | ||
"crypto" | ||
"crypto/ecdsa" | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"fmt" | ||
) | ||
|
||
// Algorithm defines the signature algorithm. | ||
type Algorithm int | ||
|
||
// Signature algorithms supported by this library. | ||
// | ||
// Reference: https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection | ||
const ( | ||
AlgorithmPS256 Algorithm = 1 + iota // RSASSA-PSS with SHA-256 | ||
AlgorithmPS384 // RSASSA-PSS with SHA-384 | ||
AlgorithmPS512 // RSASSA-PSS with SHA-512 | ||
AlgorithmES256 // ECDSA on secp256r1 with SHA-256 | ||
AlgorithmES384 // ECDSA on secp384r1 with SHA-384 | ||
AlgorithmES512 // ECDSA on secp521r1 with SHA-512 | ||
) | ||
|
||
// KeyType defines the key type. | ||
type KeyType int | ||
|
||
const ( | ||
KeyTypeRSA KeyType = 1 + iota // KeyType RSA | ||
KeyTypeEC // KeyType EC | ||
) | ||
|
||
// KeySpec defines a key type and size. | ||
type KeySpec struct { | ||
// KeyType is the type of the key. | ||
Type KeyType | ||
|
||
// KeySize is the size of the key in bits. | ||
Size int | ||
} | ||
|
||
// Hash returns the hash function of the algorithm. | ||
func (alg Algorithm) Hash() crypto.Hash { | ||
switch alg { | ||
case AlgorithmPS256, AlgorithmES256: | ||
return crypto.SHA256 | ||
case AlgorithmPS384, AlgorithmES384: | ||
return crypto.SHA384 | ||
case AlgorithmPS512, AlgorithmES512: | ||
return crypto.SHA512 | ||
} | ||
return 0 | ||
} | ||
|
||
// ExtractKeySpec extracts KeySpec from the signing certificate. | ||
func ExtractKeySpec(signingCert *x509.Certificate) (KeySpec, error) { | ||
switch key := signingCert.PublicKey.(type) { | ||
case *rsa.PublicKey: | ||
switch bitSize := key.Size() << 3; bitSize { | ||
case 2048, 3072, 4096: | ||
return KeySpec{ | ||
Type: KeyTypeRSA, | ||
Size: bitSize, | ||
}, nil | ||
default: | ||
return KeySpec{}, &UnsupportedSigningKeyError{ | ||
Msg: fmt.Sprintf("rsa key size %d bits is not supported", bitSize), | ||
} | ||
} | ||
case *ecdsa.PublicKey: | ||
switch bitSize := key.Curve.Params().BitSize; bitSize { | ||
case 256, 384, 521: | ||
return KeySpec{ | ||
Type: KeyTypeEC, | ||
Size: bitSize, | ||
}, nil | ||
default: | ||
return KeySpec{}, &UnsupportedSigningKeyError{ | ||
Msg: fmt.Sprintf("ecdsa key size %d bits is not supported", bitSize), | ||
} | ||
} | ||
} | ||
return KeySpec{}, &UnsupportedSigningKeyError{ | ||
Msg: "unsupported public key type", | ||
} | ||
} | ||
|
||
// SignatureAlgorithm returns the signing algorithm associated with the KeySpec. | ||
func (k KeySpec) SignatureAlgorithm() Algorithm { | ||
switch k.Type { | ||
case KeyTypeEC: | ||
switch k.Size { | ||
case 256: | ||
return AlgorithmES256 | ||
case 384: | ||
return AlgorithmES384 | ||
case 521: | ||
return AlgorithmES512 | ||
} | ||
case KeyTypeRSA: | ||
switch k.Size { | ||
case 2048: | ||
return AlgorithmPS256 | ||
case 3072: | ||
return AlgorithmPS384 | ||
case 4096: | ||
return AlgorithmPS512 | ||
} | ||
} | ||
return 0 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,231 @@ | ||
package signature | ||
|
||
import ( | ||
"crypto" | ||
"crypto/ecdsa" | ||
"crypto/ed25519" | ||
"crypto/elliptic" | ||
"crypto/rand" | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"reflect" | ||
"strconv" | ||
"testing" | ||
|
||
"github.com/notaryproject/notation-core-go/testhelper" | ||
) | ||
|
||
func TestHash(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
alg Algorithm | ||
expect crypto.Hash | ||
}{ | ||
{ | ||
name: "PS256", | ||
alg: AlgorithmPS256, | ||
expect: crypto.SHA256, | ||
}, | ||
{ | ||
name: "ES256", | ||
alg: AlgorithmES256, | ||
expect: crypto.SHA256, | ||
}, | ||
{ | ||
name: "PS384", | ||
alg: AlgorithmPS384, | ||
expect: crypto.SHA384, | ||
}, | ||
{ | ||
name: "ES384", | ||
alg: AlgorithmES384, | ||
expect: crypto.SHA384, | ||
}, | ||
{ | ||
name: "PS512", | ||
alg: AlgorithmPS512, | ||
expect: crypto.SHA512, | ||
}, | ||
{ | ||
name: "ES512", | ||
alg: AlgorithmES512, | ||
expect: crypto.SHA512, | ||
}, | ||
{ | ||
name: "UnsupportedAlgorithm", | ||
alg: 0, | ||
expect: 0, | ||
}, | ||
} | ||
|
||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
hash := tt.alg.Hash() | ||
if hash != tt.expect { | ||
t.Fatalf("Expected %v, got %v", tt.expect, hash) | ||
} | ||
}) | ||
} | ||
} | ||
|
||
func TestExtractKeySpec(t *testing.T) { | ||
type testCase struct { | ||
name string | ||
cert *x509.Certificate | ||
expect KeySpec | ||
expectErr bool | ||
} | ||
// invalid cases | ||
tests := []testCase{ | ||
{ | ||
name: "RSA wrong size", | ||
cert: testhelper.GetUnsupportedRSACert().Cert, | ||
expect: KeySpec{}, | ||
expectErr: true, | ||
}, | ||
{ | ||
name: "ECDSA wrong size", | ||
cert: testhelper.GetUnsupportedECCert().Cert, | ||
expect: KeySpec{}, | ||
expectErr: true, | ||
}, | ||
{ | ||
name: "Unsupported type", | ||
cert: &x509.Certificate{ | ||
PublicKey: ed25519.PublicKey{}, | ||
}, | ||
expect: KeySpec{}, | ||
expectErr: true, | ||
}, | ||
} | ||
|
||
// append valid RSA cases | ||
for _, k := range []int{2048, 3072, 4096} { | ||
rsaRoot := testhelper.GetRSARootCertificate() | ||
priv, _ := rsa.GenerateKey(rand.Reader, k) | ||
|
||
certTuple := testhelper.GetRSACertTupleWithPK( | ||
priv, | ||
"Test RSA_"+strconv.Itoa(priv.Size()), | ||
&rsaRoot, | ||
) | ||
tests = append(tests, testCase{ | ||
name: "RSA " + strconv.Itoa(k), | ||
cert: certTuple.Cert, | ||
expect: KeySpec{ | ||
Type: KeyTypeRSA, | ||
Size: k, | ||
}, | ||
expectErr: false, | ||
}) | ||
} | ||
|
||
// append valid EDCSA cases | ||
for _, curve := range []elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()} { | ||
ecdsaRoot := testhelper.GetECRootCertificate() | ||
priv, _ := ecdsa.GenerateKey(curve, rand.Reader) | ||
bitSize := priv.Params().BitSize | ||
|
||
certTuple := testhelper.GetECDSACertTupleWithPK( | ||
priv, | ||
"Test EC_"+strconv.Itoa(bitSize), | ||
&ecdsaRoot, | ||
) | ||
tests = append(tests, testCase{ | ||
name: "EC " + strconv.Itoa(bitSize), | ||
cert: certTuple.Cert, | ||
expect: KeySpec{ | ||
Type: KeyTypeEC, | ||
Size: bitSize, | ||
}, | ||
expectErr: false, | ||
}) | ||
} | ||
|
||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
keySpec, err := ExtractKeySpec(tt.cert) | ||
|
||
if (err != nil) != tt.expectErr { | ||
t.Errorf("error = %v, expectErr = %v", err, tt.expectErr) | ||
} | ||
if !reflect.DeepEqual(keySpec, tt.expect) { | ||
t.Errorf("expect %+v, got %+v", tt.expect, keySpec) | ||
} | ||
}) | ||
} | ||
} | ||
|
||
func TestSignatureAlgorithm(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
keySpec KeySpec | ||
expect Algorithm | ||
}{ | ||
{ | ||
name: "EC 256", | ||
keySpec: KeySpec{ | ||
Type: KeyTypeEC, | ||
Size: 256, | ||
}, | ||
expect: AlgorithmES256, | ||
}, | ||
{ | ||
name: "EC 384", | ||
keySpec: KeySpec{ | ||
Type: KeyTypeEC, | ||
Size: 384, | ||
}, | ||
expect: AlgorithmES384, | ||
}, | ||
{ | ||
name: "EC 521", | ||
keySpec: KeySpec{ | ||
Type: KeyTypeEC, | ||
Size: 521, | ||
}, | ||
expect: AlgorithmES512, | ||
}, | ||
{ | ||
name: "RSA 2048", | ||
keySpec: KeySpec{ | ||
Type: KeyTypeRSA, | ||
Size: 2048, | ||
}, | ||
expect: AlgorithmPS256, | ||
}, | ||
{ | ||
name: "RSA 3072", | ||
keySpec: KeySpec{ | ||
Type: KeyTypeRSA, | ||
Size: 3072, | ||
}, | ||
expect: AlgorithmPS384, | ||
}, | ||
{ | ||
name: "RSA 4096", | ||
keySpec: KeySpec{ | ||
Type: KeyTypeRSA, | ||
Size: 4096, | ||
}, | ||
expect: AlgorithmPS512, | ||
}, | ||
{ | ||
name: "Unsupported key spec", | ||
keySpec: KeySpec{ | ||
Type: 0, | ||
Size: 0, | ||
}, | ||
expect: 0, | ||
}, | ||
} | ||
|
||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
alg := tt.keySpec.SignatureAlgorithm() | ||
if alg != tt.expect { | ||
t.Errorf("unexpected signature algorithm: %v, expect: %v", alg, tt.expect) | ||
} | ||
}) | ||
} | ||
} |
Oops, something went wrong.