148 lines
3.7 KiB
Go
148 lines
3.7 KiB
Go
package attestation_test
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"encoding/json"
|
|
"fmt"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/docker/attest/internal/test"
|
|
"github.com/docker/attest/pkg/attestation"
|
|
"github.com/docker/attest/pkg/signerverifier"
|
|
intoto "github.com/in-toto/in-toto-golang/in_toto"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestSignVerifyAttestation(t *testing.T) {
|
|
ctx, signer := test.Setup(t)
|
|
stmt := &intoto.Statement{
|
|
StatementHeader: intoto.StatementHeader{
|
|
Type: intoto.StatementInTotoV01,
|
|
PredicateType: intoto.PredicateSPDX,
|
|
},
|
|
Predicate: "test",
|
|
}
|
|
|
|
payload, err := json.Marshal(stmt)
|
|
assert.NoError(t, err)
|
|
|
|
env, err := attestation.SignDSSE(ctx, payload, intoto.PayloadType, signer)
|
|
assert.NoError(t, err)
|
|
|
|
// marshal envelope to json to test for bugs when marshaling envelope data
|
|
serializedEnv, err := json.Marshal(env)
|
|
assert.NoError(t, err)
|
|
deserializedEnv := new(attestation.Envelope)
|
|
err = json.Unmarshal(serializedEnv, deserializedEnv)
|
|
assert.NoError(t, err)
|
|
|
|
// signer.Public() calls AWS API when using AWS signer, use attestation.GetPublicVerificationKey() to get key from TUF repo
|
|
// signer.Public() used here for test purposes
|
|
ecPub, ok := signer.Public().(*ecdsa.PublicKey)
|
|
assert.True(t, ok)
|
|
pem, err := signerverifier.ToPEM(ecPub)
|
|
assert.NoError(t, err)
|
|
keyId, err := signerverifier.KeyID(ecPub)
|
|
assert.NoError(t, err)
|
|
|
|
badKeyPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
assert.NoError(t, err)
|
|
badKey := &badKeyPriv.PublicKey
|
|
badPEM, err := signerverifier.ToPEM(badKey)
|
|
assert.NoError(t, err)
|
|
|
|
testCases := []struct {
|
|
name string
|
|
keyId string
|
|
pem []byte
|
|
distrust bool
|
|
from time.Time
|
|
to *time.Time
|
|
status string
|
|
expectedError string
|
|
}{
|
|
{
|
|
name: "all OK",
|
|
keyId: keyId,
|
|
pem: pem,
|
|
distrust: false,
|
|
from: time.Time{},
|
|
to: nil,
|
|
status: "active",
|
|
expectedError: "",
|
|
},
|
|
{
|
|
name: "key not found",
|
|
keyId: "someotherkey",
|
|
pem: pem,
|
|
distrust: false,
|
|
from: time.Time{},
|
|
to: nil,
|
|
status: "active",
|
|
expectedError: fmt.Sprintf("key not found: %s", keyId),
|
|
},
|
|
{
|
|
name: "key distrusted",
|
|
keyId: keyId,
|
|
pem: pem,
|
|
distrust: true,
|
|
from: time.Time{},
|
|
to: nil,
|
|
status: "active",
|
|
expectedError: "distrusted",
|
|
},
|
|
{
|
|
name: "key not yet valid",
|
|
keyId: keyId,
|
|
pem: pem,
|
|
distrust: false,
|
|
from: time.Now().Add(time.Hour),
|
|
to: nil,
|
|
status: "active",
|
|
expectedError: "not yet valid",
|
|
},
|
|
{
|
|
name: "key already revoked",
|
|
keyId: keyId,
|
|
pem: pem,
|
|
distrust: false,
|
|
from: time.Time{},
|
|
to: new(time.Time),
|
|
status: "revoked",
|
|
expectedError: "already revoked",
|
|
},
|
|
{
|
|
name: "bad key",
|
|
keyId: keyId,
|
|
pem: badPEM,
|
|
distrust: false,
|
|
from: time.Time{},
|
|
to: nil,
|
|
status: "active",
|
|
expectedError: "signature is not valid",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
keyMeta := attestation.KeyMetadata{
|
|
ID: tc.keyId,
|
|
PEM: string(tc.pem),
|
|
Distrust: tc.distrust,
|
|
From: tc.from,
|
|
To: tc.to,
|
|
Status: tc.status,
|
|
}
|
|
_, err = attestation.VerifyDSSE(ctx, deserializedEnv, attestation.KeysMap{tc.keyId: keyMeta})
|
|
if tc.expectedError != "" {
|
|
assert.Contains(t, err.Error(), tc.expectedError)
|
|
} else {
|
|
assert.NoError(t, err)
|
|
}
|
|
})
|
|
}
|
|
}
|