Skip to content

Commit abf9e07

Browse files
adityasakyadityasaky
committed
Test cross compatibility
* Add tests verifying Metablock signatures * Fix RSA key load with trailing newline Signed-off-by: Aditya Sirish <[email protected]>
1 parent 1c3e073 commit abf9e07

File tree

8 files changed

+293
-21
lines changed

8 files changed

+293
-21
lines changed

signerverifier/ecdsa_test.go

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,12 @@ package signerverifier
22

33
import (
44
"context"
5+
"encoding/json"
6+
"os"
57
"path/filepath"
68
"testing"
79

10+
"github.com/secure-systems-lab/go-securesystemslib/cjson"
811
"github.com/secure-systems-lab/go-securesystemslib/dsse"
912
"github.com/stretchr/testify/assert"
1013
)
@@ -29,6 +32,34 @@ func TestNewECDSASignerVerifierFromSSLibKey(t *testing.T) {
2932
assert.Nil(t, sv.private)
3033
}
3134

35+
func TestLoadECDSAKeyFromFile(t *testing.T) {
36+
t.Run("ecdsa public key", func(t *testing.T) {
37+
key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key.pub"))
38+
assert.Nil(t, err)
39+
40+
assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", key.KeyID)
41+
assert.Equal(t, "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu+HEqqpXLa48lXH9rkRygsfsCKq1\nXM36oXymJ9wxpM68nCqkrZCVnZ9lkEeCwD8qWYTNxD5yfWXwJjFh+K7qLQ==\n-----END PUBLIC KEY-----", key.KeyVal.Public)
42+
assert.Equal(t, "ecdsa-sha2-nistp256", key.Scheme)
43+
assert.Equal(t, ECDSAKeyType, key.KeyType)
44+
})
45+
46+
t.Run("ecdsa private key", func(t *testing.T) {
47+
key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key"))
48+
assert.Nil(t, err)
49+
50+
assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", key.KeyID)
51+
assert.Equal(t, "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu+HEqqpXLa48lXH9rkRygsfsCKq1\nXM36oXymJ9wxpM68nCqkrZCVnZ9lkEeCwD8qWYTNxD5yfWXwJjFh+K7qLQ==\n-----END PUBLIC KEY-----", key.KeyVal.Public)
52+
assert.Equal(t, "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAo6DxXlgqYy+TkvocIOyWlqA3KVtp6dlSY7lS3kkeEMoAoGCCqGSM49\nAwEHoUQDQgAEu+HEqqpXLa48lXH9rkRygsfsCKq1XM36oXymJ9wxpM68nCqkrZCV\nnZ9lkEeCwD8qWYTNxD5yfWXwJjFh+K7qLQ==\n-----END EC PRIVATE KEY-----", key.KeyVal.Private)
53+
assert.Equal(t, "ecdsa-sha2-nistp256", key.Scheme)
54+
assert.Equal(t, ECDSAKeyType, key.KeyType)
55+
})
56+
57+
t.Run("invalid path", func(t *testing.T) {
58+
_, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "invalid"))
59+
assert.ErrorContains(t, err, "unable to load ECDSA key from file")
60+
})
61+
}
62+
3263
func TestECDSASignerVerifierSign(t *testing.T) {
3364
t.Run("using valid key", func(t *testing.T) {
3465
key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key"))
@@ -116,3 +147,45 @@ func TestECDSASignerVerifierWithDSSEEnvelope(t *testing.T) {
116147
assert.Nil(t, err)
117148
assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", acceptedKeys[0].KeyID)
118149
}
150+
151+
func TestECDSASignerVerifierWithMetablockFile(t *testing.T) {
152+
key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key.pub"))
153+
if err != nil {
154+
t.Fatal(err)
155+
}
156+
157+
sv, err := NewECDSASignerVerifierFromSSLibKey(key)
158+
if err != nil {
159+
t.Fatal(err)
160+
}
161+
162+
metadataBytes, err := os.ReadFile(filepath.Join("test-data", "test-ecdsa.98adf386.link"))
163+
if err != nil {
164+
t.Fatal(err)
165+
}
166+
167+
mb := struct {
168+
Signatures []struct {
169+
KeyID string `json:"keyid"`
170+
Sig string `json:"sig"`
171+
} `json:"signatures"`
172+
Signed any `json:"signed"`
173+
}{}
174+
175+
if err := json.Unmarshal(metadataBytes, &mb); err != nil {
176+
t.Fatal(err)
177+
}
178+
179+
assert.Equal(t, "304502201fbb03c0937504182a48c66f9218bdcb2e99a07ada273e92e5e543867f98c8d7022100dbfa7bbf74fd76d76c1d08676419cba85bbd81dfb000f3ac6a786693ddc508f5", mb.Signatures[0].Sig)
180+
assert.Equal(t, sv.keyID, mb.Signatures[0].KeyID)
181+
182+
encodedBytes, err := cjson.EncodeCanonical(mb.Signed)
183+
if err != nil {
184+
t.Fatal(err)
185+
}
186+
187+
decodedSig := hexDecode(t, mb.Signatures[0].Sig)
188+
189+
err = sv.Verify(context.Background(), encodedBytes, decodedSig)
190+
assert.Nil(t, err)
191+
}

signerverifier/ed25519_test.go

Lines changed: 73 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,12 @@ package signerverifier
33
import (
44
"context"
55
"crypto/ed25519"
6-
"encoding/hex"
6+
"encoding/json"
7+
"os"
78
"path/filepath"
89
"testing"
910

11+
"github.com/secure-systems-lab/go-securesystemslib/cjson"
1012
"github.com/secure-systems-lab/go-securesystemslib/dsse"
1113
"github.com/stretchr/testify/assert"
1214
)
@@ -30,6 +32,34 @@ func TestNewED25519SignerVerifierFromSSLibKey(t *testing.T) {
3032
assert.Nil(t, sv.private)
3133
}
3234

35+
func TestLoadED25519KeyFromFile(t *testing.T) {
36+
t.Run("ED25519 public key", func(t *testing.T) {
37+
key, err := LoadED25519KeyFromFile(filepath.Join("test-data", "ed25519-test-key.pub"))
38+
assert.Nil(t, err)
39+
40+
assert.Equal(t, "52e3b8e73279d6ebdd62a5016e2725ff284f569665eb92ccb145d83817a02997", key.KeyID)
41+
assert.Equal(t, "3f586ce67329419fb0081bd995914e866a7205da463d593b3b490eab2b27fd3f", key.KeyVal.Public)
42+
assert.Equal(t, "ed25519", key.Scheme)
43+
assert.Equal(t, ED25519KeyType, key.KeyType)
44+
})
45+
46+
t.Run("ED25519 private key", func(t *testing.T) {
47+
key, err := LoadED25519KeyFromFile(filepath.Join("test-data", "ed25519-test-key"))
48+
assert.Nil(t, err)
49+
50+
assert.Equal(t, "52e3b8e73279d6ebdd62a5016e2725ff284f569665eb92ccb145d83817a02997", key.KeyID)
51+
assert.Equal(t, "3f586ce67329419fb0081bd995914e866a7205da463d593b3b490eab2b27fd3f", key.KeyVal.Public)
52+
assert.Equal(t, "66f6ebad4aeb949b91c84c9cfd6ee351fc4fd544744bab6e30fb400ba13c6e9a", key.KeyVal.Private)
53+
assert.Equal(t, "ed25519", key.Scheme)
54+
assert.Equal(t, ED25519KeyType, key.KeyType)
55+
})
56+
57+
t.Run("invalid path", func(t *testing.T) {
58+
_, err := LoadED25519KeyFromFile(filepath.Join("test-data", "invalid"))
59+
assert.ErrorContains(t, err, "unable to load ED25519 key from file")
60+
})
61+
}
62+
3363
func TestED25519SignerVerifierSign(t *testing.T) {
3464
key, err := LoadED25519KeyFromFile(filepath.Join("test-data", "ed25519-test-key"))
3565
if err != nil {
@@ -85,15 +115,6 @@ func TestED25519SignerVerifierVerify(t *testing.T) {
85115
assert.ErrorIs(t, err, ErrSignatureVerificationFailed)
86116
}
87117

88-
func hexDecode(t *testing.T, data string) []byte {
89-
t.Helper()
90-
b, err := hex.DecodeString(data)
91-
if err != nil {
92-
t.Fatal(err)
93-
}
94-
return b
95-
}
96-
97118
func TestED25519SignerVerifierWithDSSEEnvelope(t *testing.T) {
98119
key, err := LoadED25519KeyFromFile(filepath.Join("test-data", "ed25519-test-key"))
99120
if err != nil {
@@ -142,3 +163,45 @@ func TestED25519SignerVerifierWithDSSEEnvelope(t *testing.T) {
142163
assert.Nil(t, err)
143164
assert.Equal(t, "52e3b8e73279d6ebdd62a5016e2725ff284f569665eb92ccb145d83817a02997", acceptedKeys[0].KeyID)
144165
}
166+
167+
func TestED25519SignerVerifierWithMetablockFile(t *testing.T) {
168+
key, err := LoadED25519KeyFromFile(filepath.Join("test-data", "ed25519-test-key.pub"))
169+
if err != nil {
170+
t.Fatal(err)
171+
}
172+
173+
sv, err := NewED25519SignerVerifierFromSSLibKey(key)
174+
if err != nil {
175+
t.Fatal(err)
176+
}
177+
178+
metadataBytes, err := os.ReadFile(filepath.Join("test-data", "test-ed25519.52e3b8e7.link"))
179+
if err != nil {
180+
t.Fatal(err)
181+
}
182+
183+
mb := struct {
184+
Signatures []struct {
185+
KeyID string `json:"keyid"`
186+
Sig string `json:"sig"`
187+
} `json:"signatures"`
188+
Signed any `json:"signed"`
189+
}{}
190+
191+
if err := json.Unmarshal(metadataBytes, &mb); err != nil {
192+
t.Fatal(err)
193+
}
194+
195+
assert.Equal(t, "4c8b7605a9195d4ddba54493bbb5257a9836c1d16056a027fd77e97b95a4f3e36f8bc3c9c9960387d68187760b3072a30c44f992c5bf8f7497c303a3b0a32403", mb.Signatures[0].Sig)
196+
assert.Equal(t, sv.keyID, mb.Signatures[0].KeyID)
197+
198+
encodedBytes, err := cjson.EncodeCanonical(mb.Signed)
199+
if err != nil {
200+
t.Fatal(err)
201+
}
202+
203+
decodedSig := hexDecode(t, mb.Signatures[0].Sig)
204+
205+
err = sv.Verify(context.Background(), encodedBytes, decodedSig)
206+
assert.Nil(t, err)
207+
}

signerverifier/rsa.go

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"crypto/x509"
1010
"fmt"
1111
"os"
12+
"strings"
1213
)
1314

1415
const (
@@ -96,12 +97,12 @@ func (sv *RSAPSSSignerVerifier) Public() crypto.PublicKey {
9697
func LoadRSAPSSKeyFromFile(path string) (*SSLibKey, error) {
9798
contents, err := os.ReadFile(path)
9899
if err != nil {
99-
return nil, fmt.Errorf("unable to load RSA PSS key from file: %w", err)
100+
return nil, fmt.Errorf("unable to load RSA key from file: %w", err)
100101
}
101102

102103
pemData, keyObj, err := decodeAndParsePEM(contents)
103104
if err != nil {
104-
return nil, fmt.Errorf("unable to load RSA PSS key from file: %w", err)
105+
return nil, fmt.Errorf("unable to load RSA key from file: %w", err)
105106
}
106107

107108
key := &SSLibKey{
@@ -115,23 +116,23 @@ func LoadRSAPSSKeyFromFile(path string) (*SSLibKey, error) {
115116
case *rsa.PublicKey:
116117
pubKeyBytes, err := x509.MarshalPKIXPublicKey(k)
117118
if err != nil {
118-
return nil, fmt.Errorf("unable to load RSA PSS key from file: %w", err)
119+
return nil, fmt.Errorf("unable to load RSA key from file: %w", err)
119120
}
120-
key.KeyVal.Public = string(generatePEMBlock(pubKeyBytes, PublicKeyPEM))
121+
key.KeyVal.Public = strings.TrimSpace(string(generatePEMBlock(pubKeyBytes, PublicKeyPEM)))
121122

122123
case *rsa.PrivateKey:
123124
pubKeyBytes, err := x509.MarshalPKIXPublicKey(k.Public())
124125
if err != nil {
125-
return nil, fmt.Errorf("unable to load RSA PSS key from file: %w", err)
126+
return nil, fmt.Errorf("unable to load RSA key from file: %w", err)
126127
}
127-
key.KeyVal.Public = string(generatePEMBlock(pubKeyBytes, PublicKeyPEM))
128-
key.KeyVal.Private = string(generatePEMBlock(pemData.Bytes, RSAPrivateKeyPEM))
128+
key.KeyVal.Public = strings.TrimSpace(string(generatePEMBlock(pubKeyBytes, PublicKeyPEM)))
129+
key.KeyVal.Private = strings.TrimSpace(string(generatePEMBlock(pemData.Bytes, RSAPrivateKeyPEM)))
129130
}
130131

131132
if len(key.KeyID) == 0 {
132133
keyID, err := calculateKeyID(key)
133134
if err != nil {
134-
return nil, fmt.Errorf("unable to load RSA PSS key from file: %w", err)
135+
return nil, fmt.Errorf("unable to load RSA key from file: %w", err)
135136
}
136137
key.KeyID = keyID
137138
}

signerverifier/rsa_test.go

Lines changed: 77 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,12 @@ package signerverifier
33
import (
44
"context"
55
"crypto/rsa"
6+
"encoding/json"
7+
"os"
68
"path/filepath"
79
"testing"
810

11+
"github.com/secure-systems-lab/go-securesystemslib/cjson"
912
"github.com/secure-systems-lab/go-securesystemslib/dsse"
1013
"github.com/stretchr/testify/assert"
1114
)
@@ -25,11 +28,40 @@ func TestNewRSAPSSSignerVerifierFromSSLibKey(t *testing.T) {
2528
_, expectedPublicKey, err := decodeAndParsePEM([]byte(expectedPublicString))
2629
assert.Nil(t, err)
2730

28-
assert.Equal(t, "966c5d84ba73ccded42eb473c939d77336e4def253ffaf6739f8e983ef73dad8", sv.keyID) // FIXME: mismatch?
31+
assert.Equal(t, "4e8d20af09fcaed6c388a186427f94a5f7ff5591ec295f4aab2cff49ffe39e9b", sv.keyID)
2932
assert.Equal(t, expectedPublicKey.(*rsa.PublicKey), sv.public)
3033
assert.Nil(t, sv.private)
3134
}
3235

36+
func TestLoadRSAPSSKeyFromFile(t *testing.T) {
37+
t.Run("RSA public key", func(t *testing.T) {
38+
key, err := LoadRSAPSSKeyFromFile(filepath.Join("test-data", "rsa-test-key.pub"))
39+
assert.Nil(t, err)
40+
41+
assert.Equal(t, "4e8d20af09fcaed6c388a186427f94a5f7ff5591ec295f4aab2cff49ffe39e9b", key.KeyID)
42+
assert.Equal(t, "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA04egZRic+dZMVtiQc56D\nejU4FF1q3aOkUKnD+Q4lTbj1zp6ODKJTcktupmrad68jqtMiSGG8he6ELFs377q8\nbbgEUMWgAf+06Q8oFvUSfOXzZNFI7H5SMPOJY5aDWIMIEZ8DlcO7TfkA7D3iAEJX\nxxTOVS3UAIk5umO7Y7t7yXr8O/C4u78krGazCnoblcekMLJZV4O/5BloWNAe/B1c\nvZdaZUf3brD4ZZrxEtXw/tefhn1aHsSUajVW2wwjSpKhqj7Z0XS3bDS3T95/3xsN\n6+hlS6A7rJfiWpKIRHj0vh2SXLDmmhQl1In8TD/aiycTUyWcBRHVPlYFgYPt6SaT\nVQSgMzSxC43/2fINb2fyt8SbUHJ3Ct+mzRzd/1AQikWhBdstJLxInewzjYE/sb+c\n2CmCxMPQG2BwmAWXaaumeJcXVPBlMgAcjMatM8bPByTbXpKDnQslOE7g/gswDIwn\nEm53T13mZzYUvbLJ0q3aljZVLIC3IZn3ZwA2yCWchBkVAgMBAAE=\n-----END PUBLIC KEY-----", key.KeyVal.Public)
43+
assert.Equal(t, RSAKeyScheme, key.Scheme)
44+
assert.Equal(t, RSAKeyType, key.KeyType)
45+
})
46+
47+
t.Run("RSA private key", func(t *testing.T) {
48+
key, err := LoadRSAPSSKeyFromFile(filepath.Join("test-data", "rsa-test-key"))
49+
assert.Nil(t, err)
50+
51+
assert.Equal(t, "4e8d20af09fcaed6c388a186427f94a5f7ff5591ec295f4aab2cff49ffe39e9b", key.KeyID)
52+
assert.Equal(t, "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA04egZRic+dZMVtiQc56D\nejU4FF1q3aOkUKnD+Q4lTbj1zp6ODKJTcktupmrad68jqtMiSGG8he6ELFs377q8\nbbgEUMWgAf+06Q8oFvUSfOXzZNFI7H5SMPOJY5aDWIMIEZ8DlcO7TfkA7D3iAEJX\nxxTOVS3UAIk5umO7Y7t7yXr8O/C4u78krGazCnoblcekMLJZV4O/5BloWNAe/B1c\nvZdaZUf3brD4ZZrxEtXw/tefhn1aHsSUajVW2wwjSpKhqj7Z0XS3bDS3T95/3xsN\n6+hlS6A7rJfiWpKIRHj0vh2SXLDmmhQl1In8TD/aiycTUyWcBRHVPlYFgYPt6SaT\nVQSgMzSxC43/2fINb2fyt8SbUHJ3Ct+mzRzd/1AQikWhBdstJLxInewzjYE/sb+c\n2CmCxMPQG2BwmAWXaaumeJcXVPBlMgAcjMatM8bPByTbXpKDnQslOE7g/gswDIwn\nEm53T13mZzYUvbLJ0q3aljZVLIC3IZn3ZwA2yCWchBkVAgMBAAE=\n-----END PUBLIC KEY-----", key.KeyVal.Public)
53+
expectedPrivateKey := "-----BEGIN RSA PRIVATE KEY-----\nMIIG5AIBAAKCAYEA04egZRic+dZMVtiQc56DejU4FF1q3aOkUKnD+Q4lTbj1zp6O\nDKJTcktupmrad68jqtMiSGG8he6ELFs377q8bbgEUMWgAf+06Q8oFvUSfOXzZNFI\n7H5SMPOJY5aDWIMIEZ8DlcO7TfkA7D3iAEJXxxTOVS3UAIk5umO7Y7t7yXr8O/C4\nu78krGazCnoblcekMLJZV4O/5BloWNAe/B1cvZdaZUf3brD4ZZrxEtXw/tefhn1a\nHsSUajVW2wwjSpKhqj7Z0XS3bDS3T95/3xsN6+hlS6A7rJfiWpKIRHj0vh2SXLDm\nmhQl1In8TD/aiycTUyWcBRHVPlYFgYPt6SaTVQSgMzSxC43/2fINb2fyt8SbUHJ3\nCt+mzRzd/1AQikWhBdstJLxInewzjYE/sb+c2CmCxMPQG2BwmAWXaaumeJcXVPBl\nMgAcjMatM8bPByTbXpKDnQslOE7g/gswDIwnEm53T13mZzYUvbLJ0q3aljZVLIC3\nIZn3ZwA2yCWchBkVAgMBAAECggGAKswAeCPMMsIYTOPhCftyt2mIEJq78d7Xclh+\npWemxXxcAzNSIx0+i9vWJcZtsBRXv4qbH5DiryhMRpsoDJE36Wz3No5darodFKAz\n6L0pwepWXbn4Kpz+LRhA3kzIA0LzgXkuJQFmZoawGJwGmy3RC57ahiJRB9C7xMnD\n0pBOobuHx+rSvW2VUmou5DpDVYEAZ7fV2p511wUK9xkYg8K/Dj7Ok7pFRfh5MTlx\nd/GgIjdm97Np5dq4+moTShtBEqfqviv1OfDa32DISAOcEKiC2jg0O96khDz2YjK4\n0HAbWrGjVB1v+/kWKTWJ6/ddLb+Dk77KKeZ4pSPKYeUM7jXlyVikntmFTw4CXFvk\n2QqOfJyBxAxcx4eB/n6j1mqIvqL6TjloXn/Bhc/65Fr5een3hLbRnhtNxXBURwVo\nYYJwLw7tZOMKqt51qbKU2XqaII7iVHGPaeDUYs4PaBSSW/E1FFAZbId1GSe4+mDi\nJipxs4M6S9N9FPgTmZlgQ/0j6VMhAoHBANrygq2IsgRjczVO+FhOAmmP6xjbcoII\n582JTunwb8Yf4KJR8DM295LRcafk9Ns4l3QF/rESK8mZAbMUsjKlD4WcE2QTOEoQ\nQBV+lJLDyYeAhmq2684dqaIGA5jEW0GcfDpj42Hhy/qiy1PWTe/O1aFaLaYV0bXL\nPN1CTGpc+DdRh5lX7ftoTS/Do0U9Of30s00Bm9AV0LLoyH5WmXpGWatOYBHHwomi\n08vMsbJelgFzDQPRjHfpj7+EZh1wdqe8cQKBwQD3U8QP7ZatB5ymMLsefm/I6Uor\nwz5SqMyiz+u/Fc+4Ii8SwLsVQw+IoZyxofkKTbMESrgQhLbzC59eRbUcF7GZ+lZQ\nw6gG/+YLvx9MYcEVGeruyPmlYFp6g+vN/qEiPs1oZej8r1XjNj228XdTMAJ2qTbZ\nGVyhEMMbBgd5FFxEqueD5/EILT6xj9BxvQ1m2IFbVIkXfOrhdwEk+RcbXDA0n+rS\nkhBajWQ3eVQGY2hWnYB+1fmumYFs8hAaMAJlCOUCgcBCvi6Ly+HIaLCUDZCzCoS9\nvTuDhlHvxdsz0qmVss+/67PEh4nbcuQhg2tMLQVfVm8E1VcAj3N9rwDPoH155stG\nhX97wEgme7GtW7rayohCoDFZko1rdatiUscB6MmQxK0x94U3L2fI7Zth4TA87CY/\nW4gS2w/khSH2qOE2g0S/SEE3w5AuVWtCJjc9Qh7NhayqytS+qAfIoiGMMcXzekKX\nb/rlMKni3xoFRE7e+uprYrES+uwBGdfSIAAo9UGWfGECgcEA8pCJ4qE+vJaRkQCM\nFD0mvyHl54PGFOWORUOsTy1CGrIT/s1c7l5l1rfB6QkVKYDIyLXLThALKdVFSP0O\nwe2O9pfpna42lh7VbMHWHWBmMJ7JpcUf6ozUUAIf+1j2iZKUfAYu+duwXXWuE0VA\npSqZz+znaQaRrTm2UEOagqpwT7xZ8SlCYKWXLigA4/vpL+u4+myvQ4T1C4leaveN\nLP0+He6VLE2qklTHbAynVtiZ1REFm9+Z0B6nK8U/+58ISjTtAoHBALgqMopFIOMw\nAhhasnrL3Pzxf0WKzKmj/y2yEP0Vctm0muqxFnFwPwyOAd6HODJOSiFPD5VN4jvC\n+Yw96Qn29kHGXTKgL1J9cSL8z6Qzlc+UYCdSwmaZK5r36+NBTJgvKY9KrpkXCkSa\nc5YgIYtXMitmq9NmNvcSJWmuuiept3HFlwkU3pfmwzKNEeqi2jmuIOqI2zCOqX67\nI+YQsJgrHE0TmYxxRkgeYUy7s5DoHE25rfvdy5Lx+xAOH8ZgD1SGOw==\n-----END RSA PRIVATE KEY-----"
54+
assert.Equal(t, expectedPrivateKey, key.KeyVal.Private)
55+
assert.Equal(t, RSAKeyScheme, key.Scheme)
56+
assert.Equal(t, RSAKeyType, key.KeyType)
57+
})
58+
59+
t.Run("invalid path", func(t *testing.T) {
60+
_, err := LoadRSAPSSKeyFromFile(filepath.Join("test-data", "invalid"))
61+
assert.ErrorContains(t, err, "unable to load RSA key from file")
62+
})
63+
}
64+
3365
func TestRSAPSSSignerVerifierSignAndVerify(t *testing.T) {
3466
t.Run("using valid key", func(t *testing.T) {
3567
key, err := LoadRSAPSSKeyFromFile(filepath.Join("test-data", "rsa-test-key"))
@@ -93,7 +125,7 @@ func TestRSAPSSSignerVerifierWithDSSEEnvelope(t *testing.T) {
93125
t.Error(err)
94126
}
95127

96-
assert.Equal(t, "966c5d84ba73ccded42eb473c939d77336e4def253ffaf6739f8e983ef73dad8", env.Signatures[0].KeyID)
128+
assert.Equal(t, "4e8d20af09fcaed6c388a186427f94a5f7ff5591ec295f4aab2cff49ffe39e9b", env.Signatures[0].KeyID)
97129
envPayload, err := env.DecodeB64Payload()
98130
assert.Equal(t, payload, envPayload)
99131
assert.Nil(t, err)
@@ -115,5 +147,47 @@ func TestRSAPSSSignerVerifierWithDSSEEnvelope(t *testing.T) {
115147

116148
acceptedKeys, err := ev.Verify(context.Background(), env)
117149
assert.Nil(t, err)
118-
assert.Equal(t, "966c5d84ba73ccded42eb473c939d77336e4def253ffaf6739f8e983ef73dad8", acceptedKeys[0].KeyID)
150+
assert.Equal(t, "4e8d20af09fcaed6c388a186427f94a5f7ff5591ec295f4aab2cff49ffe39e9b", acceptedKeys[0].KeyID)
151+
}
152+
153+
func TestRSAPSSSignerVerifierWithMetablockFile(t *testing.T) {
154+
key, err := LoadRSAPSSKeyFromFile(filepath.Join("test-data", "rsa-test-key.pub"))
155+
if err != nil {
156+
t.Fatal(err)
157+
}
158+
159+
sv, err := NewRSAPSSSignerVerifierFromSSLibKey(key)
160+
if err != nil {
161+
t.Fatal(err)
162+
}
163+
164+
metadataBytes, err := os.ReadFile(filepath.Join("test-data", "test-rsa.4e8d20af.link"))
165+
if err != nil {
166+
t.Fatal(err)
167+
}
168+
169+
mb := struct {
170+
Signatures []struct {
171+
KeyID string `json:"keyid"`
172+
Sig string `json:"sig"`
173+
} `json:"signatures"`
174+
Signed any `json:"signed"`
175+
}{}
176+
177+
if err := json.Unmarshal(metadataBytes, &mb); err != nil {
178+
t.Fatal(err)
179+
}
180+
181+
assert.Equal(t, "8958e5be66ee4352880a531bd097d1727adcc78e66b4faeb4a2cd6ad073dcb84f9a34e8156af39a7144cb5cd925325a18ccd4f0b2f981d6ff82655a7d63210d36655c50a0bf24e4839c10430a040dd6189d04fabec90eae4314c75ae2d585da17a56aaf6755e613a3a6a471ad2eddbb24504848e34f9ac163660f8ab80d7701bfa1189578a59597b3809ee62a70a7cc9545cfa65e23018fa442a45279b9fcf9d80bc92df711bfcfe16e3eae1bcf61b3286c1f0bdda17bc28bfab5b736bdcac4a38e31db1d0e0f56a2853b1b451650305f040a3425c3be47125700e92ef82c5a91a040b5e70ab7f6ebbe037ae1a6835044b5699748037e2e39a55a420c41cd9fa6e16868776367e3620e7d28eb9d8a3d710bdc98d488df1a9947d2ec8400f3c6209e8ca587cbffa30ceb3be98105e03182aab1bbb3c4e2560d99f0b09c012df2271f273ac70a6abb185abe11d559b118dca616417fa9205e74ab58e89ffd8b965da304ae9dc9cf6ffac4838b7c5375d6c2057a61cb286f06ad3b02a49c3af6178", mb.Signatures[0].Sig)
182+
assert.Equal(t, sv.keyID, mb.Signatures[0].KeyID)
183+
184+
encodedBytes, err := cjson.EncodeCanonical(mb.Signed)
185+
if err != nil {
186+
t.Fatal(err)
187+
}
188+
189+
decodedSig := hexDecode(t, mb.Signatures[0].Sig)
190+
191+
err = sv.Verify(context.Background(), encodedBytes, decodedSig)
192+
assert.Nil(t, err)
119193
}

signerverifier/test-data/test-ecdsa.98adf386.link

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
{
2+
"signatures": [
3+
{
4+
"keyid": "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704",
5+
"sig": "304502201fbb03c0937504182a48c66f9218bdcb2e99a07ada273e92e5e543867f98c8d7022100dbfa7bbf74fd76d76c1d08676419cba85bbd81dfb000f3ac6a786693ddc508f5"
6+
}
7+
],
8+
"signed": {
9+
"_type": "link",
10+
"byproducts": {},
11+
"command": [],
12+
"environment": {},
13+
"materials": {},
14+
"name": "test-ecdsa",
15+
"products": {}
16+
}
17+
}

0 commit comments

Comments
 (0)