...

Source file src/github.com/sigstore/timestamp-authority/pkg/signer/tink_test.go

Documentation: github.com/sigstore/timestamp-authority/pkg/signer 

     1  // Copyright 2022 The Sigstore Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package signer
    16  
    17  import (
    18  	"context"
    19  	"crypto/ecdsa"
    20  	"crypto/ed25519"
    21  	"crypto/rand"
    22  	"crypto/sha256"
    23  	"crypto/sha512"
    24  	"hash"
    25  	"os"
    26  	"path/filepath"
    27  	"strings"
    28  	"testing"
    29  
    30  	"github.com/google/tink/go/aead"
    31  	"github.com/sigstore/sigstore/pkg/cryptoutils"
    32  
    33  	"github.com/google/tink/go/keyset"
    34  	"github.com/google/tink/go/proto/tink_go_proto"
    35  	"github.com/google/tink/go/signature"
    36  )
    37  
    38  type TestStruct struct {
    39  	keyTemplate *tink_go_proto.KeyTemplate
    40  	h           hash.Hash
    41  }
    42  
    43  func TestNewTinkSigner(t *testing.T) {
    44  	aeskh, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
    45  	if err != nil {
    46  		t.Fatalf("error creating AEAD key handle: %v", err)
    47  	}
    48  	a, err := aead.New(aeskh)
    49  	if err != nil {
    50  		t.Fatalf("error creating AEAD key: %v", err)
    51  	}
    52  	kh, err := keyset.NewHandle(signature.ECDSAP256KeyTemplate())
    53  	if err != nil {
    54  		t.Fatalf("error creating ECDSA key handle: %v", err)
    55  	}
    56  	khsigner, err := KeyHandleToSigner(kh)
    57  	if err != nil {
    58  		t.Fatalf("error converting ECDSA key handle to signer: %v", err)
    59  	}
    60  
    61  	dir := t.TempDir()
    62  	keysetPath := filepath.Join(dir, "keyset.json.enc")
    63  	f, err := os.Create(keysetPath)
    64  	if err != nil {
    65  		t.Fatalf("error creating file: %v", err)
    66  	}
    67  	defer f.Close()
    68  	jsonWriter := keyset.NewJSONWriter(f)
    69  	if err := kh.Write(jsonWriter, a); err != nil {
    70  		t.Fatalf("error writing enc keyset: %v", err)
    71  	}
    72  
    73  	signer, err := NewTinkSigner(context.TODO(), keysetPath, a)
    74  	if err != nil {
    75  		t.Fatalf("unexpected error creating Tink signer: %v", err)
    76  	}
    77  
    78  	// Expect signer and key handle's public keys match
    79  	if err := cryptoutils.EqualKeys(signer.Public(), khsigner.Public()); err != nil {
    80  		t.Fatalf("keys of signer and key handle do not match: %v", err)
    81  	}
    82  
    83  	// Failure: Unable to decrypt keyset
    84  	aeskh1, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
    85  	if err != nil {
    86  		t.Fatalf("error creating AEAD key handle: %v", err)
    87  	}
    88  	a1, err := aead.New(aeskh1)
    89  	if err != nil {
    90  		t.Fatalf("error creating AEAD key: %v", err)
    91  	}
    92  	_, err = NewTinkSigner(context.TODO(), keysetPath, a1)
    93  	if err == nil || !strings.Contains(err.Error(), "decryption failed") {
    94  		t.Fatalf("expected error decrypting keyset, got %v", err)
    95  	}
    96  }
    97  
    98  func TestKeyHandleToSignerECDSA(t *testing.T) {
    99  	supportedKeyTypes := []TestStruct{
   100  		{
   101  			keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(),
   102  			h:           sha256.New(),
   103  		},
   104  		{
   105  			keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(),
   106  			h:           sha512.New(),
   107  		},
   108  		{
   109  			keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(),
   110  			h:           sha512.New(),
   111  		},
   112  	}
   113  	for _, kt := range supportedKeyTypes {
   114  		kh, err := keyset.NewHandle(kt.keyTemplate)
   115  		if err != nil {
   116  			t.Fatalf("error creating ECDSA key handle: %v", err)
   117  		}
   118  		// convert to crypto.Signer interface
   119  		signer, err := KeyHandleToSigner(kh)
   120  		if err != nil {
   121  			t.Fatalf("error converting ECDSA key handle to signer: %v", err)
   122  		}
   123  		msg := []byte("hello there")
   124  
   125  		// sign with key handle, verify with signer public key
   126  		tinkSigner, err := signature.NewSigner(kh)
   127  		if err != nil {
   128  			t.Fatalf("error creating tink signer: %v", err)
   129  		}
   130  		sig, err := tinkSigner.Sign(msg)
   131  		if err != nil {
   132  			t.Fatalf("error signing with tink signer: %v", err)
   133  		}
   134  		kt.h.Write(msg)
   135  		digest := kt.h.Sum(nil)
   136  		if !ecdsa.VerifyASN1(signer.Public().(*ecdsa.PublicKey), digest, sig) {
   137  			t.Fatalf("signature from tink signer did not match")
   138  		}
   139  
   140  		// sign with signer, verify with key handle
   141  		sig, err = ecdsa.SignASN1(rand.Reader, signer.(*ecdsa.PrivateKey), digest)
   142  		if err != nil {
   143  			t.Fatalf("error signing with crypto signer: %v", err)
   144  		}
   145  		pubkh, err := kh.Public()
   146  		if err != nil {
   147  			t.Fatalf("error fetching public key handle: %v", err)
   148  		}
   149  		v, err := signature.NewVerifier(pubkh)
   150  		if err != nil {
   151  			t.Fatalf("error creating tink verifier: %v", err)
   152  		}
   153  		if err := v.Verify(sig, msg); err != nil {
   154  			t.Fatalf("error verifying with tink verifier: %v", err)
   155  		}
   156  	}
   157  }
   158  
   159  func TestKeyHandleToSignerED25519(t *testing.T) {
   160  	kh, err := keyset.NewHandle(signature.ED25519KeyWithoutPrefixTemplate())
   161  	if err != nil {
   162  		t.Fatalf("error creating ED25519 key handle: %v", err)
   163  	}
   164  	// convert to crypto.Signer interface
   165  	signer, err := KeyHandleToSigner(kh)
   166  	if err != nil {
   167  		t.Fatalf("error converting ED25519 key handle to signer: %v", err)
   168  	}
   169  	msg := []byte("hello there")
   170  
   171  	// sign with key handle, verify with signer public key
   172  	tinkSigner, err := signature.NewSigner(kh)
   173  	if err != nil {
   174  		t.Fatalf("error creating tink signer: %v", err)
   175  	}
   176  	sig, err := tinkSigner.Sign(msg)
   177  	if err != nil {
   178  		t.Fatalf("error signing with tink signer: %v", err)
   179  	}
   180  	if !ed25519.Verify(signer.Public().(ed25519.PublicKey), msg, sig) {
   181  		t.Fatalf("signature from tink signer did not match")
   182  	}
   183  
   184  	// sign with signer, verify with key handle
   185  	sig = ed25519.Sign(signer.(ed25519.PrivateKey), msg)
   186  	if err != nil {
   187  		t.Fatalf("error signing with crypto signer: %v", err)
   188  	}
   189  	pubkh, err := kh.Public()
   190  	if err != nil {
   191  		t.Fatalf("error fetching public key handle: %v", err)
   192  	}
   193  	v, err := signature.NewVerifier(pubkh)
   194  	if err != nil {
   195  		t.Fatalf("error creating tink verifier: %v", err)
   196  	}
   197  	if err := v.Verify(sig, msg); err != nil {
   198  		t.Fatalf("error verifying with tink verifier: %v", err)
   199  	}
   200  }
   201  

View as plain text