94 lines
2.7 KiB
Go
94 lines
2.7 KiB
Go
package tlog
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/docker/attest/internal/util"
|
|
"github.com/docker/attest/signerverifier"
|
|
"github.com/secure-systems-lab/go-securesystemslib/dsse"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
const (
|
|
// test artifacts.
|
|
TestPayload = "test"
|
|
TestPublicKey = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAED4V+REhx+aqWH7ylMMDHahNMnMLS\nOJP/9kAm9lp+3mqYTAhURra6OD5Qx8Zbd+euPyPk9y+w/gWGDB9zn/Il1A==\n-----END PUBLIC KEY-----"
|
|
)
|
|
|
|
func TestCreateX509Cert(t *testing.T) {
|
|
// TODO - replace with mock KMS
|
|
// generate test signing keys
|
|
signer, err := signerverifier.GenKeyPair()
|
|
assert.NoError(t, err)
|
|
|
|
// create x509 cert
|
|
cert, err := CreateX509Cert("test", signer)
|
|
assert.NoError(t, err)
|
|
p, _ := pem.Decode(cert)
|
|
result, err := x509.ParseCertificate(p.Bytes)
|
|
assert.NoError(t, err)
|
|
|
|
// test cert RawSubjectPublicKeyInfo field contains ephemeral public key
|
|
ecPub, err := x509.MarshalPKIXPublicKey(signer.Public())
|
|
assert.NoError(t, err)
|
|
assert.Equalf(t, string(result.RawSubjectPublicKeyInfo), string(ecPub), "certificate raw subject public key info does not match ephemeral public key")
|
|
|
|
// test cert common name == subject
|
|
assert.Equalf(t, result.Subject.CommonName, "test", "cert common name does not equal subject id")
|
|
}
|
|
|
|
func TestUploadAndVerifyLogEntry(t *testing.T) {
|
|
// message digest
|
|
payload := []byte("test")
|
|
hash := util.SHA256(payload)
|
|
|
|
// generate ephemeral keys to sign message digest
|
|
signer, err := signerverifier.GenKeyPair()
|
|
assert.NoError(t, err)
|
|
sig, err := signer.Sign(context.Background(), hash)
|
|
assert.NoError(t, err)
|
|
|
|
var tl TL
|
|
if UseMockTL {
|
|
tl = &MockTL{
|
|
UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) ([]byte, error) {
|
|
return []byte(TestEntry), nil
|
|
},
|
|
VerifyLogEntryFunc: func(_ context.Context, _ []byte) (time.Time, error) {
|
|
return time.Time{}, nil
|
|
},
|
|
VerifyEntryPayloadFunc: func(_, _, _ []byte) error {
|
|
return nil
|
|
},
|
|
}
|
|
} else {
|
|
tl = &RekorTL{}
|
|
}
|
|
|
|
// test upload log entry
|
|
ctx := WithTL(context.Background(), tl)
|
|
entry, err := tl.UploadLogEntry(ctx, "test", payload, sig, signer)
|
|
assert.NoError(t, err)
|
|
|
|
// test verify log entry
|
|
_, err = tl.VerifyLogEntry(ctx, entry)
|
|
assert.NoError(t, err)
|
|
|
|
// verify TL entry payload
|
|
ecPub, err := x509.MarshalPKIXPublicKey(signer.Public())
|
|
assert.NoError(t, err)
|
|
err = tl.VerifyEntryPayload(entry, payload, ecPub)
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestVerifyEntryPayload(t *testing.T) {
|
|
tl := &RekorTL{}
|
|
p, _ := pem.Decode([]byte(TestPublicKey))
|
|
err := tl.VerifyEntryPayload([]byte(TestEntry), []byte(TestPayload), p.Bytes)
|
|
assert.NoError(t, err)
|
|
}
|