Skip to content

Commit

Permalink
Merge pull request #256 from tri-adam/refactor-sv
Browse files Browse the repository at this point in the history
Refactor Test Key Corpus
  • Loading branch information
tri-adam authored Feb 6, 2023
2 parents 749e30a + 1828fa2 commit f61233a
Show file tree
Hide file tree
Showing 17 changed files with 248 additions and 143 deletions.
242 changes: 138 additions & 104 deletions pkg/integrity/dsse_test.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright (c) 2022, Sylabs Inc. All rights reserved.
// Copyright (c) 2022-2023, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file
// distributed with the sources of this project regarding your rights to use or distribute this
// software.
Expand All @@ -22,9 +22,6 @@ import (
)

func Test_dsseEncoder_signMessage(t *testing.T) {
ed25519 := getTestSignerVerifier(t, "ed25519.pem")
rsa := getTestSignerVerifier(t, "rsa.pem")

tests := []struct {
name string
signers []signature.Signer
Expand All @@ -33,39 +30,45 @@ func Test_dsseEncoder_signMessage(t *testing.T) {
wantHash crypto.Hash
}{
{
name: "Multi",
signers: []signature.Signer{ed25519, rsa},
wantHash: crypto.SHA256,
},
{
name: "ED25519",
signers: []signature.Signer{ed25519},
name: "Multi",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
wantHash: crypto.SHA256,
},
{
name: "RSA",
signers: []signature.Signer{rsa},
wantHash: crypto.SHA256,
name: "ED25519",
signers: []signature.Signer{
getTestSigner(t, "ed25519-private.pem", crypto.Hash(0)),
},
signOpts: []signature.SignOption{
options.WithCryptoSignerOpts(crypto.Hash(0)),
},
wantHash: crypto.Hash(0),
},
{
name: "SHA256",
signers: []signature.Signer{rsa},
signOpts: []signature.SignOption{
options.WithCryptoSignerOpts(crypto.SHA256),
name: "RSA_SHA256",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
wantHash: crypto.SHA256,
},
{
name: "SHA384",
signers: []signature.Signer{rsa},
name: "RSA_SHA384",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA384),
},
signOpts: []signature.SignOption{
options.WithCryptoSignerOpts(crypto.SHA384),
},
wantHash: crypto.SHA384,
},
{
name: "SHA512",
signers: []signature.Signer{rsa},
name: "RSA_SHA512",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA512),
},
signOpts: []signature.SignOption{
options.WithCryptoSignerOpts(crypto.SHA512),
},
Expand Down Expand Up @@ -143,25 +146,6 @@ func corruptSignatures(t *testing.T, _ *dsseEncoder, e *dsse.Envelope) {
}

func Test_dsseDecoder_verifyMessage(t *testing.T) {
ecdsa := getTestSignerVerifier(t, "ecdsa.pem")
ed25519 := getTestSignerVerifier(t, "ed25519.pem")
rsa := getTestSignerVerifier(t, "rsa.pem")

ecdsaPub, err := ecdsa.PublicKey()
if err != nil {
t.Fatal(err)
}

ed25519Pub, err := ed25519.PublicKey()
if err != nil {
t.Fatal(err)
}

rsaPub, err := rsa.PublicKey()
if err != nil {
t.Fatal(err)
}

tests := []struct {
name string
signers []signature.Signer
Expand All @@ -173,107 +157,157 @@ func Test_dsseDecoder_verifyMessage(t *testing.T) {
wantKeys []crypto.PublicKey
}{
{
name: "CorruptPayloadType",
signers: []signature.Signer{rsa},
name: "CorruptPayloadType",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
corrupter: corruptPayloadType,
de: newDSSEDecoder(rsa),
wantErr: errDSSEUnexpectedPayloadType,
wantKeys: []crypto.PublicKey{rsaPub},
de: newDSSEDecoder(
getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
),
wantErr: errDSSEUnexpectedPayloadType,
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "rsa-public.pem"),
},
},
{
name: "CorruptPayload",
signers: []signature.Signer{rsa},
name: "CorruptPayload",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
corrupter: corruptPayload,
de: newDSSEDecoder(rsa),
wantErr: errDSSEVerifyEnvelopeFailed,
wantKeys: []crypto.PublicKey{},
de: newDSSEDecoder(
getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
),
wantErr: errDSSEVerifyEnvelopeFailed,
wantKeys: []crypto.PublicKey{},
},
{
name: "CorruptSignatures",
signers: []signature.Signer{rsa},
name: "CorruptSignatures",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
corrupter: corruptSignatures,
de: newDSSEDecoder(rsa),
wantErr: errDSSEVerifyEnvelopeFailed,
wantKeys: []crypto.PublicKey{},
de: newDSSEDecoder(
getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
),
wantErr: errDSSEVerifyEnvelopeFailed,
wantKeys: []crypto.PublicKey{},
},
{
name: "VerifyMulti",
signers: []signature.Signer{ecdsa, ed25519, rsa},
de: newDSSEDecoder(ecdsa, ed25519, rsa),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{ecdsaPub, ed25519Pub, rsaPub},
},
{
name: "ECDSAVerifyMulti",
signers: []signature.Signer{ecdsa, ed25519, rsa},
de: newDSSEDecoder(ecdsa),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{ecdsaPub},
},
{
name: "ED25519VerifyMulti",
signers: []signature.Signer{ecdsa, ed25519, rsa},
de: newDSSEDecoder(ed25519),
name: "Multi_SHA256",
signers: []signature.Signer{
getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
de: newDSSEDecoder(
getTestVerifier(t, "ecdsa-public.pem", crypto.SHA256),
getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{ed25519Pub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "ecdsa-public.pem"),
getTestPublicKey(t, "rsa-public.pem"),
},
},
{
name: "RSAVerifyMulti",
signers: []signature.Signer{ecdsa, ed25519, rsa},
de: newDSSEDecoder(rsa),
name: "Multi_SHA256_ECDSA",
signers: []signature.Signer{
getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
de: newDSSEDecoder(
getTestVerifier(t, "ecdsa-public.pem", crypto.SHA256),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{rsaPub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "ecdsa-public.pem"),
},
},
{
name: "ECDSA",
signers: []signature.Signer{ecdsa},
de: newDSSEDecoder(ecdsa),
name: "Multi_SHA256_RSA",
signers: []signature.Signer{
getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
de: newDSSEDecoder(
getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{ecdsaPub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "rsa-public.pem"),
},
},
{
name: "ED25519",
signers: []signature.Signer{ed25519},
de: newDSSEDecoder(ed25519),
name: "ECDSA_SHA256",
signers: []signature.Signer{
getTestSigner(t, "ecdsa-private.pem", crypto.SHA256),
},
de: newDSSEDecoder(
getTestVerifier(t, "ecdsa-public.pem", crypto.SHA256),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{ed25519Pub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "ecdsa-public.pem"),
},
},
{
name: "RSA",
signers: []signature.Signer{rsa},
de: newDSSEDecoder(rsa),
name: "ED25519",
signers: []signature.Signer{
getTestSigner(t, "ed25519-private.pem", crypto.Hash(0)),
},
de: newDSSEDecoder(
getTestVerifier(t, "ed25519-public.pem", crypto.Hash(0)),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{rsaPub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "ed25519-public.pem"),
},
},
{
name: "SHA256",
signers: []signature.Signer{rsa},
signOpts: []signature.SignOption{
options.WithCryptoSignerOpts(crypto.SHA256),
name: "RSA_SHA256",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA256),
},
de: newDSSEDecoder(rsa),
de: newDSSEDecoder(
getTestVerifier(t, "rsa-public.pem", crypto.SHA256),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{rsaPub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "rsa-public.pem"),
},
},
{
name: "SHA384",
signers: []signature.Signer{rsa},
name: "RSA_SHA384",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA384),
},
signOpts: []signature.SignOption{
options.WithCryptoSignerOpts(crypto.SHA384),
},
de: newDSSEDecoder(rsa),
de: newDSSEDecoder(
getTestVerifier(t, "rsa-public.pem", crypto.SHA384),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{rsaPub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "rsa-public.pem"),
},
},
{
name: "SHA512",
signers: []signature.Signer{rsa},
name: "RSA_SHA512",
signers: []signature.Signer{
getTestSigner(t, "rsa-private.pem", crypto.SHA512),
},
signOpts: []signature.SignOption{
options.WithCryptoSignerOpts(crypto.SHA512),
},
de: newDSSEDecoder(rsa),
de: newDSSEDecoder(
getTestVerifier(t, "rsa-public.pem", crypto.SHA512),
),
wantMessage: testMessage,
wantKeys: []crypto.PublicKey{rsaPub},
wantKeys: []crypto.PublicKey{
getTestPublicKey(t, "rsa-public.pem"),
},
},
}

Expand Down
39 changes: 35 additions & 4 deletions pkg/integrity/main_test.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved.
// Copyright (c) 2020-2023, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file
// distributed with the sources of this project regarding your rights to use or distribute this
// software.
Expand Down Expand Up @@ -42,20 +42,51 @@ func loadContainer(t *testing.T, path string) *sif.FileImage {
return f
}

// getTestSignerVerifier returns a SignerVerifier read from the PEM file at path.
func getTestSignerVerifier(t *testing.T, name string) signature.SignerVerifier { //nolint:ireturn
// getTestSigner returns a Signer read from the PEM file at path.
func getTestSigner(t *testing.T, name string, h crypto.Hash) signature.Signer { //nolint:ireturn
t.Helper()

path := filepath.Join("..", "..", "test", "keys", name)

sv, err := signature.LoadSignerVerifierFromPEMFile(path, crypto.SHA256, cryptoutils.SkipPassword)
sv, err := signature.LoadSignerFromPEMFile(path, h, cryptoutils.SkipPassword)
if err != nil {
t.Fatal(err)
}

return sv
}

// getTestVerifier returns a Verifier read from the PEM file at path.
func getTestVerifier(t *testing.T, name string, h crypto.Hash) signature.Verifier { //nolint:ireturn
t.Helper()

sv, err := signature.LoadVerifier(getTestPublicKey(t, name), h)
if err != nil {
t.Fatal(err)
}

return sv
}

// getTestPublicKey returns a PublicKey read from the PEM file at path.
func getTestPublicKey(t *testing.T, name string) crypto.PublicKey {
t.Helper()

path := filepath.Join("..", "..", "test", "keys", name)

b, err := os.ReadFile(path)
if err != nil {
t.Fatal(err)
}

pub, err := cryptoutils.UnmarshalPEMToPublicKey(b)
if err != nil {
t.Fatal(err)
}

return pub
}

// getTestEntity returns a fixed test PGP entity.
func getTestEntity(t *testing.T) *openpgp.Entity {
t.Helper()
Expand Down
2 changes: 1 addition & 1 deletion pkg/integrity/sign_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -558,7 +558,7 @@ func TestSigner_Sign(t *testing.T) {
t.Fatal(err)
}

sv := getTestSignerVerifier(t, "ed25519.pem")
sv := getTestSigner(t, "ed25519-private.pem", crypto.Hash(0))

tests := []struct {
name string
Expand Down
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:x6l8ZblpSSXGaPMCzySedWg88BwIFcz8jlPb6el0mFs","sig":"SNnYRFIhDwWjk0pxoreaNiLea6L2WAFUm4boxnv7jiBNGmvMnbCxdsHYsTRBLXvMJHwEfKGvHFJmi9VvMe4JCQ=="},{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]}
{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="},{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]}
Loading

0 comments on commit f61233a

Please sign in to comment.