e2e.go

Documentation: github.com/sigstore/rekor/pkg/pki/x509

     1  //
     2  // Copyright 2021 The Sigstore Authors.
     3  //
     4  // Licensed under the Apache License, Version 2.0 (the "License");
     5  // you may not use this file except in compliance with the License.
     6  // You may obtain a copy of the License at
     7  //
     8  //     http://www.apache.org/licenses/LICENSE-2.0
     9  //
    10  // Unless required by applicable law or agreed to in writing, software
    11  // distributed under the License is distributed on an "AS IS" BASIS,
    12  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  // See the License for the specific language governing permissions and
    14  // limitations under the License.
    15  
    16  //go:build e2e
    17  // +build e2e
    18  
    19  package x509
    20  
    21  import (
    22  	"bytes"
    23  	"context"
    24  	"crypto"
    25  	"crypto/rand"
    26  	"crypto/rsa"
    27  	"crypto/sha256"
    28  	"crypto/x509"
    29  	"encoding/pem"
    30  	"errors"
    31  	"io/ioutil"
    32  	"testing"
    33  
    34  	"github.com/sigstore/rekor/pkg/util"
    35  	"github.com/sigstore/sigstore/pkg/signature"
    36  	"github.com/sigstore/sigstore/pkg/signature/options"
    37  )
    38  
    39  // Generated with:
    40  // openssl ecparam -genkey -name prime256v1 > ec_private.pem
    41  // openssl pkcs8 -topk8 -in ec_private.pem  -nocrypt
    42  const ECDSAPriv = `-----BEGIN PRIVATE KEY-----
    43  MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmrLtCpBdXgXLUr7o
    44  nSUPfo3oXMjmvuwTOjpTulIBKlKhRANCAATH6KSpTFe6uXFmW1qNEFXaO7fWPfZt
    45  pPZrHZ1cFykidZoURKoYXfkohJ+U/USYy8Sd8b4DMd5xDRZCnlDM0h37
    46  -----END PRIVATE KEY-----`
    47  
    48  // Extracted from above with:
    49  // openssl ec -in ec_private.pem -pubout
    50  const ECDSAPub = `-----BEGIN PUBLIC KEY-----
    51  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx+ikqUxXurlxZltajRBV2ju31j32
    52  baT2ax2dXBcpInWaFESqGF35KISflP1EmMvEnfG+AzHecQ0WQp5QzNId+w==
    53  -----END PUBLIC KEY-----`
    54  
    55  // Generated with:
    56  // openssl req -newkey rsa:2048 -nodes -keyout test.key -x509 -out test.crt
    57  const RSACert = `-----BEGIN CERTIFICATE-----
    58  MIIDOjCCAiKgAwIBAgIUEP925shVBKERFCsymdSqESLZFyMwDQYJKoZIhvcNAQEL
    59  BQAwHzEdMBsGCSqGSIb3DQEJARYOdGVzdEByZWtvci5kZXYwHhcNMjEwNDIxMjAy
    60  ODAzWhcNMjEwNTIxMjAyODAzWjAfMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHJla29y
    61  LmRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN8KiP08rFIik4GN
    62  W8/sHSXxDopeDBLEQEihsyXXWesfYW/q59lFaCZrsTetlyNEzKDJ+JrpIHwoGOo4
    63  EwefFfvy2nkgPFs9aeIDsYZNZnIGxeB8sUfsZUYGHx+Ikm18vhM//GYzNjjuvHyq
    64  +CWRAOS12ZISa99iah/lIhcP8IEj1gPGldAH0QFx3XpCePAdQocSU6ziVkj054/x
    65  NJXy1bKySrVw7gvE9LxZlVO9urSOnzg7BBOla0mob8NRDVB8yN+LG365q4IMDzuI
    66  jAEL6sLtoJ9pcemo1rIfNOhSLYlzfg7oszJ8eCjASNCCcp6EKVjhW7LRoldC8oGZ
    67  EOrKM78CAwEAAaNuMGwwHQYDVR0OBBYEFGjs8EHKT3x1itwwptJLuQQg/hQcMB8G
    68  A1UdIwQYMBaAFGjs8EHKT3x1itwwptJLuQQg/hQcMA8GA1UdEwEB/wQFMAMBAf8w
    69  GQYDVR0RBBIwEIEOdGVzdEByZWtvci5kZXYwDQYJKoZIhvcNAQELBQADggEBAAHE
    70  bYuePN3XpM7pHoCz6g4uTHu0VrezqJyK1ohysgWJmSJzzazUeISXk0xWnHPk1Zxi
    71  kzoEuysI8b0P7yodMA8e16zbIOL6QbGe3lNXYqRIg+bl+4OPFGVMX8xHNZmeh0kD
    72  vX1JVS+y9uyo4/z/pm0JhaSCn85ft/Y5uXMQYn1wFR5DAcJH+iWjNX4fipGxGRE9
    73  Cy0DjFnYJ3SRY4HPQ0oUSQmyhrwe2DiYzeqtbL2KJBXPcFQKWhkf/fupdYFljvcH
    74  d9NNfRb0p2oFGG/J0ROg9pEcP1/aZP5k8P2pRdt3y7h1MAtmg2bgEdugZgXwAUmM
    75  BmU8k2FeTuqV15piPCE=
    76  -----END CERTIFICATE-----`
    77  
    78  const RSAKey = `-----BEGIN PRIVATE KEY-----
    79  MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfCoj9PKxSIpOB
    80  jVvP7B0l8Q6KXgwSxEBIobMl11nrH2Fv6ufZRWgma7E3rZcjRMygyfia6SB8KBjq
    81  OBMHnxX78tp5IDxbPWniA7GGTWZyBsXgfLFH7GVGBh8fiJJtfL4TP/xmMzY47rx8
    82  qvglkQDktdmSEmvfYmof5SIXD/CBI9YDxpXQB9EBcd16QnjwHUKHElOs4lZI9OeP
    83  8TSV8tWyskq1cO4LxPS8WZVTvbq0jp84OwQTpWtJqG/DUQ1QfMjfixt+uauCDA87
    84  iIwBC+rC7aCfaXHpqNayHzToUi2Jc34O6LMyfHgowEjQgnKehClY4Vuy0aJXQvKB
    85  mRDqyjO/AgMBAAECggEBAIHOAs3Gis8+WjRSjXVjh882DG1QsJwXZQYgPT+vpiAl
    86  YjKdNpOHRkbd9ARgXY5kEuccxDd7p7E6MM3XFpQf7M51ltpZfWboRgAIgD+WOiHw
    87  eSbdytr95C6tj11twTJBH+naGk1sTokxv7aaVdKfIjL49oeBexBFmVe4pW9gkmrE
    88  1z1y1a0RohqbZ0kprYPWjz5UhsNqbCzgkdDqS7IrcOwVg6zvKYFjHnqIHqaJXVif
    89  FgIfoNt7tz+12FTHI+6OkKoN3YCJueaxneBhITXm6RLOpQWa9qhdUPbkJ9vQNfph
    90  Qqke4faaxKY9UDma+GpEHR016AWufZp92pd9wQkDn0kCgYEA7w/ZizAkefHoZhZ8
    91  Isn/fYu4fdtUaVgrnGUVZobiGxWrHRU9ikbAwR7UwbgRSfppGiJdAMq1lyH2irmb
    92  4OHU64rjuYSlIqUWHLQHWmqUbLUvlDojH/vdmH/Zn0AbrLZaimC5UCjK3Eb7sAMq
    93  G0tGeDX2JraQvx7KrbC6peTaaaMCgYEA7tgZBiRCQJ7+mNu+gX9x6OXtjsDCh516
    94  vToRLkxWc7LAbC9LKsuEHl4e3vy1PY/nyuv12Ng2dBq4WDXozAmVgz0ok7rRlIFp
    95  w8Yj8o/9KuGZkD/7tw/pLsVc9Q3Wf0ACrnAAh7+3dAvn3yg+WHwXzqWIbrseDPt9
    96  ILCfUoNDpzUCgYAKFCX8y0PObFd67lm/cbq2xUw66iNN6ay1BEH5t5gSwkAbksis
    97  ar03pyAbJrJ75vXFZ0t6fBFZ1NG7GYYr3fmHEKz3JlN7+W/MN/7TXgjx6FWgLy9J
    98  6ul1w3YeU6qXBn0ctmU5ru6WiNuVmRyOWAcZjFTbXvkNRbQPzJKh6dsXdwKBgA1D
    99  FIihxMf/zBVCxl48bF/JPJqbm3GaTfFp4wBWHsrH1yVqrtrOeCSTh1VMZOfpMK60
   100  0W7b+pIR1cCYJbgGpDWoVLN3QSHk2bGUM/TJB/60jilTVC/DA2ikbtfwj8N7E2sK
   101  Lw1amN4ptxNOEcAqC8xepqe3XiDMahNBm2cigMQtAoGBAKwrXvss2BKz+/6poJQU
   102  A0c7jhMN8M9Y5S2Ockw07lrQeAgfu4q+/8ztm0NeHJbk01IJvJY5Nt7bSgwgNVlo
   103  j7vR2BMAc9U73Ju9aeTl/L6GqmZyA+Ojhl5gA5DPZYqNiqi93ydgRaI6n4+o3dI7
   104  5wnr40AmbuKCDvMOvN7nMybL
   105  -----END PRIVATE KEY-----`
   106  
   107  // Extracted from the certificate using:
   108  // openssl x509 -pubkey -noout -in test.crt
   109  const PubKey = `-----BEGIN PUBLIC KEY-----
   110  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3wqI/TysUiKTgY1bz+wd
   111  JfEOil4MEsRASKGzJddZ6x9hb+rn2UVoJmuxN62XI0TMoMn4mukgfCgY6jgTB58V
   112  +/LaeSA8Wz1p4gOxhk1mcgbF4HyxR+xlRgYfH4iSbXy+Ez/8ZjM2OO68fKr4JZEA
   113  5LXZkhJr32JqH+UiFw/wgSPWA8aV0AfRAXHdekJ48B1ChxJTrOJWSPTnj/E0lfLV
   114  srJKtXDuC8T0vFmVU726tI6fODsEE6VrSahvw1ENUHzI34sbfrmrggwPO4iMAQvq
   115  wu2gn2lx6ajWsh806FItiXN+DuizMnx4KMBI0IJynoQpWOFbstGiV0LygZkQ6soz
   116  vwIDAQAB
   117  -----END PUBLIC KEY-----`
   118  
   119  var (
   120  	CertPrivateKey *rsa.PrivateKey
   121  	Certificate    *x509.Certificate
   122  )
   123  
   124  func init() {
   125  	p, _ := pem.Decode([]byte(RSAKey))
   126  	priv, err := x509.ParsePKCS8PrivateKey(p.Bytes)
   127  	if err != nil {
   128  		panic(err)
   129  	}
   130  	cpk, ok := priv.(*rsa.PrivateKey)
   131  	if !ok {
   132  		panic("unsuccessful conversion")
   133  	}
   134  	CertPrivateKey = cpk
   135  
   136  	p, _ = pem.Decode([]byte(RSACert))
   137  	Certificate, err = x509.ParseCertificate(p.Bytes)
   138  	if err != nil {
   139  		panic(err)
   140  	}
   141  }
   142  
   143  func SignX509Cert(b []byte) ([]byte, error) {
   144  	dgst := sha256.Sum256(b)
   145  	signature, err := CertPrivateKey.Sign(rand.Reader, dgst[:], crypto.SHA256)
   146  	return signature, err
   147  }
   148  
   149  // CreatedX509SignedArtifact gets the test dir setup correctly with some random artifacts and keys.
   150  func CreatedX509SignedArtifact(t *testing.T, artifactPath, sigPath string) {
   151  	t.Helper()
   152  	artifact := util.CreateArtifact(t, artifactPath)
   153  
   154  	// Sign it with our key and write that to a file
   155  	signature, err := SignX509Cert([]byte(artifact))
   156  	if err != nil {
   157  		t.Fatal(err)
   158  	}
   159  	if err := ioutil.WriteFile(sigPath, []byte(signature), 0644); err != nil {
   160  		t.Fatal(err)
   161  	}
   162  }
   163  
   164  type Verifier struct {
   165  	S signature.Signer
   166  	v signature.Verifier
   167  }
   168  
   169  func (v *Verifier) KeyID() (string, error) {
   170  	return "", nil
   171  }
   172  
   173  func (v *Verifier) Public() crypto.PublicKey {
   174  	return v.v.PublicKey
   175  }
   176  
   177  func (v *Verifier) Sign(_ context.Context, data []byte) (sig []byte, err error) {
   178  	if v.S == nil {
   179  		return nil, errors.New("nil signer")
   180  	}
   181  	sig, err = v.S.SignMessage(bytes.NewReader(data), options.WithCryptoSignerOpts(crypto.SHA256))
   182  	if err != nil {
   183  		return nil, err
   184  	}
   185  	return sig, nil
   186  }
   187  
   188  func (v *Verifier) Verify(_ context.Context, data, sig []byte) error {
   189  	if v.v == nil {
   190  		return errors.New("nil Verifier")
   191  	}
   192  	return v.v.VerifySignature(bytes.NewReader(sig), bytes.NewReader(data))
   193  }
   194
View as plain text