keys_test.go

Documentation: github.com/sigstore/cosign/v2/pkg/signature

     1  // Copyright 2021 The Sigstore Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package signature
    16  
    17  import (
    18  	"context"
    19  	"crypto"
    20  	"errors"
    21  	"os"
    22  	"testing"
    23  
    24  	"github.com/sigstore/cosign/v2/pkg/blob"
    25  	"github.com/sigstore/cosign/v2/pkg/cosign"
    26  	sigsignature "github.com/sigstore/sigstore/pkg/signature"
    27  	"github.com/sigstore/sigstore/pkg/signature/kms"
    28  )
    29  
    30  func generateKeyFile(t *testing.T, tmpDir string, pf cosign.PassFunc) (privFile, pubFile string) {
    31  	t.Helper()
    32  
    33  	tmpPrivFile, err := os.CreateTemp(tmpDir, "cosign_test_*.key")
    34  	if err != nil {
    35  		t.Fatalf("failed to create temp key file: %v", err)
    36  	}
    37  	defer tmpPrivFile.Close()
    38  	tmpPubFile, err := os.CreateTemp(tmpDir, "cosign_test_*.pub")
    39  	if err != nil {
    40  		t.Fatalf("failed to create temp pub file: %v", err)
    41  	}
    42  	defer tmpPubFile.Close()
    43  
    44  	// Generate a valid keypair.
    45  	keys, err := cosign.GenerateKeyPair(pf)
    46  	if err != nil {
    47  		t.Fatalf("failed to generate keypair: %v", err)
    48  	}
    49  
    50  	if _, err := tmpPrivFile.Write(keys.PrivateBytes); err != nil {
    51  		t.Fatalf("failed to write key file: %v", err)
    52  	}
    53  	if _, err := tmpPubFile.Write(keys.PublicBytes); err != nil {
    54  		t.Fatalf("failed to write pub file: %v", err)
    55  	}
    56  	return tmpPrivFile.Name(), tmpPubFile.Name()
    57  }
    58  
    59  func TestSignerFromPrivateKeyFileRef(t *testing.T) {
    60  	t.Parallel()
    61  	tmpDir := t.TempDir()
    62  	ctx := context.Background()
    63  
    64  	testCases := []struct {
    65  		desc string
    66  
    67  		writePw   cosign.PassFunc
    68  		readPw    cosign.PassFunc
    69  		expectErr bool
    70  	}{{
    71  		desc: "good password",
    72  
    73  		writePw: pass("hello"),
    74  		readPw:  pass("hello"),
    75  	}, {
    76  		desc: "bad password",
    77  
    78  		writePw:   pass("hello"),
    79  		readPw:    pass("something else"),
    80  		expectErr: true,
    81  	}}
    82  	for _, tc := range testCases {
    83  		t.Run(tc.desc, func(t *testing.T) {
    84  			tc := tc
    85  			t.Parallel()
    86  			testFile, _ := generateKeyFile(t, tmpDir, tc.writePw)
    87  
    88  			signer, err := SignerFromKeyRef(ctx, testFile, tc.readPw)
    89  			if err != nil {
    90  				if tc.expectErr {
    91  					// Task failed successfully
    92  					return
    93  				}
    94  				t.Fatalf("SignerFromKeyRef returned error: %v", err)
    95  			}
    96  			if tc.expectErr {
    97  				t.Fatalf("SignerFromKeyRef should have returned error, got: %v", signer)
    98  			}
    99  		})
   100  	}
   101  }
   102  
   103  func TestPublicKeyFromFileRef(t *testing.T) {
   104  	t.Parallel()
   105  	tmpDir := t.TempDir()
   106  	ctx := context.Background()
   107  	_, testFile := generateKeyFile(t, tmpDir, pass("whatever"))
   108  
   109  	if _, err := PublicKeyFromKeyRef(ctx, testFile); err != nil {
   110  		t.Fatalf("PublicKeyFromKeyRef returned error: %v", err)
   111  	}
   112  }
   113  
   114  func TestPublicKeyFromEnvVar(t *testing.T) {
   115  	keys, err := cosign.GenerateKeyPair(pass("whatever"))
   116  	if err != nil {
   117  		t.Fatalf("failed to generate keypair: %v", err)
   118  	}
   119  	ctx := context.Background()
   120  
   121  	os.Setenv("MY_ENV_VAR", string(keys.PublicBytes))
   122  	defer os.Unsetenv("MY_ENV_VAR")
   123  	if _, err := PublicKeyFromKeyRef(ctx, "env://MY_ENV_VAR"); err != nil {
   124  		t.Fatalf("PublicKeyFromKeyRef returned error: %v", err)
   125  	}
   126  }
   127  
   128  func TestSignerVerifierFromEnvVar(t *testing.T) {
   129  	passFunc := pass("whatever")
   130  	keys, err := cosign.GenerateKeyPair(passFunc)
   131  	if err != nil {
   132  		t.Fatalf("failed to generate keypair: %v", err)
   133  	}
   134  	ctx := context.Background()
   135  
   136  	os.Setenv("MY_ENV_VAR", string(keys.PrivateBytes))
   137  	defer os.Unsetenv("MY_ENV_VAR")
   138  	if _, err := SignerVerifierFromKeyRef(ctx, "env://MY_ENV_VAR", passFunc); err != nil {
   139  		t.Fatalf("SignerVerifierFromKeyRef returned error: %v", err)
   140  	}
   141  }
   142  
   143  func TestVerifierForKeyRefError(t *testing.T) {
   144  	kms.AddProvider("errorkms://", func(_ context.Context, _ string, _ crypto.Hash, _ ...sigsignature.RPCOption) (kms.SignerVerifier, error) {
   145  		return nil, errors.New("bad")
   146  	})
   147  	var uerr *blob.UnrecognizedSchemeError
   148  
   149  	ctx := context.Background()
   150  	_, err := PublicKeyFromKeyRef(ctx, "errorkms://bad")
   151  	if err == nil {
   152  		t.Fatalf("PublicKeyFromKeyRef didn't return any error")
   153  	} else if errors.As(err, &uerr) {
   154  		t.Fatalf("PublicKeyFromKeyRef returned UnrecognizedSchemeError: %v", err)
   155  	}
   156  
   157  	_, err = PublicKeyFromKeyRef(ctx, "badscheme://bad")
   158  	if err == nil {
   159  		t.Fatalf("PublicKeyFromKeyRef didn't return any error")
   160  	} else if !errors.As(err, &uerr) {
   161  		t.Fatalf("PublicKeyFromKeyRef didn't return UnrecognizedSchemeError: %v", err)
   162  	}
   163  }
   164  
   165  func pass(s string) cosign.PassFunc {
   166  	return func(_ bool) ([]byte, error) {
   167  		return []byte(s), nil
   168  	}
   169  }
   170
View as plain text