Source file src/github.com/theupdateframework/go-tuf/pkg/deprecated/deprecated_repo_test.go

Documentation: github.com/theupdateframework/go-tuf/pkg/deprecated

     1  package deprecated
     2  
     3  import (
     4  	"crypto"
     5  	"crypto/elliptic"
     6  	"crypto/rand"
     7  	"crypto/sha256"
     8  	"encoding/json"
     9  	"testing"
    10  
    11  	"github.com/secure-systems-lab/go-securesystemslib/cjson"
    12  	repo "github.com/theupdateframework/go-tuf"
    13  	"github.com/theupdateframework/go-tuf/data"
    14  	_ "github.com/theupdateframework/go-tuf/pkg/deprecated/set_ecdsa"
    15  	"github.com/theupdateframework/go-tuf/pkg/keys"
    16  	. "gopkg.in/check.v1"
    17  )
    18  
    19  func Test(t *testing.T) { TestingT(t) }
    20  
    21  type RepoSuite struct{}
    22  
    23  var _ = Suite(&RepoSuite{})
    24  
    25  func genKey(c *C, r *repo.Repo, role string) []string {
    26  	keyids, err := r.GenKey(role)
    27  	c.Assert(err, IsNil)
    28  	c.Assert(len(keyids) > 0, Equals, true)
    29  	return keyids
    30  }
    31  
    32  // Deprecated ecdsa key support: Support verification against roots that were
    33  // signed with hex-encoded ecdsa keys.
    34  func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
    35  	type deprecatedP256Verifier struct {
    36  		PublicKey data.HexBytes `json:"public"`
    37  	}
    38  	files := map[string][]byte{"foo.txt": []byte("foo")}
    39  	local := repo.MemoryStore(make(map[string]json.RawMessage), files)
    40  	r, err := repo.NewRepo(local)
    41  	c.Assert(err, IsNil)
    42  
    43  	r.Init(false)
    44  
    45  	// Add a root key with hex-encoded ecdsa format - compliant "ecdsa"
    46  	signer, err := keys.GenerateEcdsaKey()
    47  	c.Assert(err, IsNil)
    48  	pub := signer.PublicKey
    49  	keyValBytes, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)})
    50  	c.Assert(err, IsNil)
    51  	publicData := &data.PublicKey{
    52  		Type:       data.KeyTypeECDSA_SHA2_P256,
    53  		Scheme:     data.KeySchemeECDSA_SHA2_P256,
    54  		Algorithms: data.HashAlgorithms,
    55  		Value:      keyValBytes,
    56  	}
    57  	err = r.AddVerificationKey("root", publicData)
    58  	c.Assert(err, IsNil)
    59  
    60  	// Add a root key with hex-encoded ecdsa format - deprecated "ecdsa-sha2-nistp256"
    61  	signerDeprecated, err := keys.GenerateEcdsaKey()
    62  	c.Assert(err, IsNil)
    63  	pubDeprecated := signerDeprecated.PublicKey
    64  	keyValBytesDeprecated, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pubDeprecated.Curve, pubDeprecated.X, pubDeprecated.Y)})
    65  	c.Assert(err, IsNil)
    66  	publicDataDeprecated := &data.PublicKey{
    67  		Type:       data.KeyTypeECDSA_SHA2_P256_OLD_FMT,
    68  		Scheme:     data.KeySchemeECDSA_SHA2_P256,
    69  		Algorithms: data.HashAlgorithms,
    70  		Value:      keyValBytesDeprecated,
    71  	}
    72  	err = r.AddVerificationKey("root", publicDataDeprecated)
    73  	c.Assert(err, IsNil)
    74  
    75  	// Add other keys as normal
    76  	genKey(c, r, "targets")
    77  	genKey(c, r, "snapshot")
    78  	genKey(c, r, "timestamp")
    79  	c.Assert(r.AddTarget("foo.txt", nil), IsNil)
    80  
    81  	// Sign the root role manually
    82  	rootMeta, err := r.SignedMeta("root.json")
    83  	c.Assert(err, IsNil)
    84  	rootCanonical, err := cjson.EncodeCanonical(rootMeta.Signed)
    85  	c.Assert(err, IsNil)
    86  	hash := sha256.Sum256(rootCanonical)
    87  	rootSig, err := signer.PrivateKey.Sign(rand.Reader, hash[:], crypto.SHA256)
    88  	c.Assert(err, IsNil)
    89  	for _, id := range publicData.IDs() {
    90  		c.Assert(r.AddOrUpdateSignature("root.json", data.Signature{
    91  			KeyID:     id,
    92  			Signature: rootSig}), IsNil)
    93  	}
    94  
    95  	rootSigDeprecated, err := signerDeprecated.PrivateKey.Sign(rand.Reader, hash[:], crypto.SHA256)
    96  	c.Assert(err, IsNil)
    97  	for _, id := range publicDataDeprecated.IDs() {
    98  		c.Assert(r.AddOrUpdateSignature("root.json", data.Signature{
    99  			KeyID:     id,
   100  			Signature: rootSigDeprecated}), IsNil)
   101  	}
   102  
   103  	// Committing should succeed because the deprecated key pkg is added.
   104  	c.Assert(r.Snapshot(), IsNil)
   105  	c.Assert(r.Timestamp(), IsNil)
   106  	c.Assert(r.Commit(), IsNil)
   107  }
   108  

View as plain text