Skip to content

Commit

Permalink
Fix entry tests to ensure ed25519 is now accepted
Browse files Browse the repository at this point in the history
Signed-off-by: Riccardo Schirone <[email protected]>
  • Loading branch information
ret2libc committed Feb 6, 2024
1 parent 3971e51 commit 1dece02
Showing 1 changed file with 37 additions and 12 deletions.
49 changes: 37 additions & 12 deletions pkg/types/hashedrekord/v0.0.1/entry_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import (
"github.com/sigstore/rekor/pkg/types"
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/options"
"go.uber.org/goleak"
)

Expand Down Expand Up @@ -113,17 +114,17 @@ func TestCrossFieldValidation(t *testing.T) {
Type: "PUBLIC KEY",
})

// testing lack of support for ed25519
invalidEdPubKey, _, err := ed25519.GenerateKey(rand.Reader)
// testing support ed25519
edPubKey, edPrivKey, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatal(err)
}
invalidDer, err := x509.MarshalPKIXPublicKey(invalidEdPubKey)
edDer, err := x509.MarshalPKIXPublicKey(edPubKey)
if err != nil {
t.Fatal(err)
}
invalidKeyBytes := pem.EncodeToMemory(&pem.Block{
Bytes: invalidDer,
edPubKeyBytes := pem.EncodeToMemory(&pem.Block{
Bytes: edDer,
Type: "PUBLIC KEY",
})

Expand All @@ -142,6 +143,9 @@ func TestCrossFieldValidation(t *testing.T) {
sha512Signer, _ := signature.LoadSigner(key, crypto.SHA512)
sha512SigBytes, _ := sha512Signer.SignMessage(bytes.NewReader(dataBytes))

edsha512Signer, _ := signature.LoadSignerWithOpts(edPrivKey, options.WithHash(crypto.SHA512), options.WithED25519ph())
edsha512SigBytes, _ := edsha512Signer.SignMessage(bytes.NewReader(dataBytes))

incorrectLengthHash := sha256.Sum224(dataBytes)
incorrectLengthSHA := hex.EncodeToString(incorrectLengthHash[:])

Expand Down Expand Up @@ -197,16 +201,15 @@ func TestCrossFieldValidation(t *testing.T) {
entry: V001Entry{
HashedRekordObj: models.HashedrekordV001Schema{
Signature: &models.HashedrekordV001SchemaSignature{
Content: sha256SigBytes,
Content: edsha512SigBytes,
PublicKey: &models.HashedrekordV001SchemaSignaturePublicKey{
Content: invalidKeyBytes,
Content: edPubKeyBytes,
},
},
},
},
expectedHashValue: "sha256:" + dataSHA256,
expectUnmarshalSuccess: false,
// successful even if unmarshalling fails, because the ed25519 key is valid
expectedHashValue: "sha512:" + dataSHA512,
expectUnmarshalSuccess: false,
expectedVerifierSuccess: true,
},
{
Expand Down Expand Up @@ -242,6 +245,29 @@ func TestCrossFieldValidation(t *testing.T) {
expectUnmarshalSuccess: false,
expectedVerifierSuccess: true,
},
{
caseDesc: "signature with ed25519 public key (with data)",
entry: V001Entry{
HashedRekordObj: models.HashedrekordV001Schema{
Signature: &models.HashedrekordV001SchemaSignature{
Content: edsha512SigBytes,
PublicKey: &models.HashedrekordV001SchemaSignaturePublicKey{
Content: edPubKeyBytes,
},
},
Data: &models.HashedrekordV001SchemaData{
Hash: &models.HashedrekordV001SchemaDataHash{
Algorithm: swag.String(models.HashedrekordV001SchemaDataHashAlgorithmSha512),
Value: swag.String(dataSHA512),
},
},
},
},
expectedHashValue: "sha512:" + dataSHA512,
expectUnmarshalSuccess: true,
expectCanonicalizeSuccess: true,
expectedVerifierSuccess: true,
},
{
caseDesc: "signature with sha256 hash",
entry: V001Entry{
Expand Down Expand Up @@ -457,8 +483,7 @@ func TestCrossFieldValidation(t *testing.T) {
t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err)
} else {
pub, _ := verifiers[0].CanonicalValue()
// invalidKeyBytes is a valid ed25519 key
if !reflect.DeepEqual(pub, keyBytes) && !reflect.DeepEqual(pub, invalidKeyBytes) {
if !reflect.DeepEqual(pub, keyBytes) && !reflect.DeepEqual(pub, edPubKeyBytes) {
t.Errorf("verifier and public keys do not match: %v, %v", string(pub), string(keyBytes))
}
}
Expand Down

0 comments on commit 1dece02

Please sign in to comment.