...

Source file src/github.com/sigstore/cosign/v2/pkg/cosign/tlog_test.go

Documentation: github.com/sigstore/cosign/v2/pkg/cosign 

     1  // Copyright 2022 The Sigstore Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package cosign
    16  
    17  import (
    18  	"context"
    19  	"crypto"
    20  	"crypto/rand"
    21  	"crypto/rsa"
    22  	"crypto/x509"
    23  	"encoding/hex"
    24  	"encoding/pem"
    25  	"strings"
    26  	"testing"
    27  
    28  	ttestdata "github.com/google/certificate-transparency-go/trillian/testdata"
    29  	"github.com/sigstore/rekor/pkg/generated/models"
    30  	"github.com/sigstore/sigstore/pkg/cryptoutils"
    31  	"github.com/sigstore/sigstore/pkg/tuf"
    32  )
    33  
    34  var (
    35  	demoLogID = [32]byte{19, 56, 222, 93, 229, 36, 102, 128, 227, 214, 3, 121, 93, 175, 126, 236, 97, 217, 34, 32, 40, 233, 98, 27, 46, 179, 164, 251, 84, 10, 60, 57}
    36  )
    37  
    38  func TestGetRekorPubKeys(t *testing.T) {
    39  	t.Setenv("TUF_ROOT", t.TempDir())
    40  	keys, err := GetRekorPubs(context.Background())
    41  	if err != nil {
    42  		t.Fatalf("Unexpected error calling GetRekorPubs, expected nil: %v", err)
    43  	}
    44  	if len(keys.Keys) == 0 {
    45  		t.Errorf("expected 1 or more keys, got 0")
    46  	}
    47  	// check that the mapping of key digest to key is correct
    48  	for logID, key := range keys.Keys {
    49  		expectedLogID, err := GetTransparencyLogID(key.PubKey)
    50  		if err != nil {
    51  			t.Fatalf("unexpected error generated log ID: %v", err)
    52  		}
    53  		if logID != expectedLogID {
    54  			t.Fatalf("key digests are not equal")
    55  		}
    56  	}
    57  }
    58  
    59  func TestExpectedRekorResponse(t *testing.T) {
    60  	validUUID := "f794467401d57241b7903737211c721cb3315648d077a9f02ceefb6e404a05de"
    61  	validUUID1 := "7794467401d57241b7903737211c721cb3315648d077a9f02ceefb6e404a05de"
    62  
    63  	validTreeID := "0FFFFFFFFFFFFFFF"
    64  	validTreeID1 := "3315648d077a9f02"
    65  	invalidTreeID := "0000000000000000"
    66  	tests := []struct {
    67  		name         string
    68  		requestUUID  string
    69  		responseUUID string
    70  		wantErr      bool
    71  	}{
    72  		{
    73  			name:         "valid match with request & response entry UUID",
    74  			requestUUID:  validTreeID + validUUID,
    75  			responseUUID: validTreeID + validUUID,
    76  			wantErr:      false,
    77  		},
    78  		// The following is the current typical Rekor behavior.
    79  		{
    80  			name:         "valid match with request entry UUID",
    81  			requestUUID:  validTreeID + validUUID,
    82  			responseUUID: validUUID,
    83  			wantErr:      false,
    84  		},
    85  		{
    86  			name:         "valid match with request UUID",
    87  			requestUUID:  validUUID,
    88  			responseUUID: validUUID,
    89  			wantErr:      false,
    90  		},
    91  		{
    92  			name:         "valid match with response entry UUID",
    93  			requestUUID:  validUUID,
    94  			responseUUID: validTreeID + validUUID,
    95  			wantErr:      false,
    96  		},
    97  		{
    98  			name:         "mismatch uuid with response tree id",
    99  			requestUUID:  validUUID,
   100  			responseUUID: validTreeID + validUUID1,
   101  			wantErr:      true,
   102  		},
   103  		{
   104  			name:         "mismatch uuid with request tree id",
   105  			requestUUID:  validTreeID + validUUID1,
   106  			responseUUID: validUUID,
   107  			wantErr:      true,
   108  		},
   109  		{
   110  			name:         "mismatch tree id",
   111  			requestUUID:  validTreeID + validUUID,
   112  			responseUUID: validTreeID1 + validUUID,
   113  			wantErr:      true,
   114  		},
   115  		{
   116  			name:         "invalid response tree id",
   117  			requestUUID:  validTreeID + validUUID,
   118  			responseUUID: invalidTreeID + validUUID,
   119  			wantErr:      true,
   120  		},
   121  		{
   122  			name:         "invalid request tree id",
   123  			requestUUID:  invalidTreeID + validUUID,
   124  			responseUUID: validUUID,
   125  			wantErr:      true,
   126  		},
   127  	}
   128  	for _, tt := range tests {
   129  		t.Run(tt.name, func(t *testing.T) {
   130  			if got := isExpectedResponseUUID(tt.requestUUID, tt.responseUUID); (got != nil) != tt.wantErr {
   131  				t.Errorf("isExpectedResponseUUID() = %v, want %v", got, tt.wantErr)
   132  			}
   133  		})
   134  	}
   135  }
   136  
   137  func TestGetCTLogID(t *testing.T) {
   138  	block, _ := pem.Decode([]byte(ttestdata.DemoPublicKey))
   139  	pk, err := x509.ParsePKIXPublicKey(block.Bytes)
   140  	if err != nil {
   141  		t.Fatalf("unexpected error loading public key: %v", err)
   142  	}
   143  
   144  	got, err := GetTransparencyLogID(pk)
   145  	if err != nil {
   146  		t.Fatalf("error getting logid: %v", err)
   147  	}
   148  
   149  	if want := hex.EncodeToString(demoLogID[:]); got != want {
   150  		t.Errorf("logID: \n%v want \n%v", got, want)
   151  	}
   152  }
   153  
   154  func TestVerifyTLogEntryOfflineFailsWithInvalidPublicKey(t *testing.T) {
   155  	// Then try to validate with keys that are not ecdsa.PublicKey and should
   156  	// fail.
   157  	var rsaPrivKey crypto.PrivateKey
   158  	rsaPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
   159  	if err != nil {
   160  		t.Fatalf("Unable to create RSA test key: %v", err)
   161  	}
   162  	var signer crypto.Signer
   163  	var ok bool
   164  	if signer, ok = rsaPrivKey.(crypto.Signer); !ok {
   165  		t.Fatalf("Unable to create signer out of RSA test key: %v", err)
   166  	}
   167  	rsaPEM, err := cryptoutils.MarshalPublicKeyToPEM(signer.Public())
   168  	if err != nil {
   169  		t.Fatalf("Unable to marshal RSA test key: %v", err)
   170  	}
   171  	rekorPubKeys := NewTrustedTransparencyLogPubKeys()
   172  	if err = rekorPubKeys.AddTransparencyLogPubKey(rsaPEM, tuf.Active); err != nil {
   173  		t.Fatalf("failed to add RSA key to transparency log public keys: %v", err)
   174  	}
   175  
   176  	err = VerifyTLogEntryOffline(context.Background(), &models.LogEntryAnon{Verification: &models.LogEntryAnonVerification{InclusionProof: &models.InclusionProof{}}}, &rekorPubKeys)
   177  	if err == nil {
   178  		t.Fatal("Wanted error got none")
   179  	}
   180  	if !strings.Contains(err.Error(), "is not type ecdsa.PublicKey") {
   181  		t.Fatalf("Did not get expected error message, wanted 'is not type ecdsa.PublicKey' got: %v", err)
   182  	}
   183  }
   184  

View as plain text