...

Source file src/github.com/theupdateframework/go-tuf/verify/db_test.go

Documentation: github.com/theupdateframework/go-tuf/verify 

     1  package verify
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/stretchr/testify/assert"
     7  	"github.com/theupdateframework/go-tuf/data"
     8  	"github.com/theupdateframework/go-tuf/pkg/keys"
     9  )
    10  
    11  func TestDelegationsDB(t *testing.T) {
    12  	key, err := keys.GenerateEd25519Key()
    13  	assert.Nil(t, err, "generating key failed")
    14  	var dbTests = []struct {
    15  		testName     string
    16  		delegations  *data.Delegations
    17  		initErr      error
    18  		unmarshalErr error
    19  	}{
    20  		{
    21  			testName:     "empty state",
    22  			delegations:  &data.Delegations{},
    23  			unmarshalErr: ErrNoSignatures,
    24  		},
    25  		{
    26  			testName: "top level role",
    27  			delegations: &data.Delegations{Roles: []data.DelegatedRole{
    28  				{Name: "root"},
    29  			}},
    30  			initErr: ErrInvalidDelegatedRole,
    31  		},
    32  		{
    33  			testName: "invalid role",
    34  			delegations: &data.Delegations{Roles: []data.DelegatedRole{
    35  				{Threshold: 0},
    36  			}},
    37  			initErr: ErrInvalidThreshold,
    38  		},
    39  		{
    40  			testName: "standard (SHA256) key IDs supported",
    41  			delegations: &data.Delegations{
    42  				Keys: map[string]*data.PublicKey{
    43  					key.PublicData().IDs()[0]: key.PublicData(),
    44  				},
    45  				Roles: []data.DelegatedRole{{
    46  					Name:      "rolename",
    47  					KeyIDs:    key.PublicData().IDs(),
    48  					Threshold: 1,
    49  				},
    50  				},
    51  			},
    52  			// If we get to ErrNoSignatures, we've passed key loading; see
    53  			// delegations_test.go to see tests that delegation DB *fully* works
    54  			// with valid signatures set up.
    55  			unmarshalErr: ErrNoSignatures,
    56  		},
    57  		{
    58  			testName: "arbitrary (non-SHA256, per TAP-12) key IDs supported",
    59  			delegations: &data.Delegations{
    60  				Keys: map[string]*data.PublicKey{
    61  					"a": key.PublicData(),
    62  				},
    63  				Roles: []data.DelegatedRole{{
    64  					Name:      "rolename",
    65  					KeyIDs:    []string{"a"},
    66  					Threshold: 1,
    67  				},
    68  				},
    69  			},
    70  			// If we get to ErrNoSignatures, we've passed key loading; see
    71  			// delegations_test.go to see tests that delegation DB *fully* works
    72  			// with valid signatures set up.
    73  			unmarshalErr: ErrNoSignatures,
    74  		},
    75  	}
    76  
    77  	for _, tt := range dbTests {
    78  		t.Run(tt.testName, func(t *testing.T) {
    79  			db, err := NewDBFromDelegations(tt.delegations)
    80  			assert.Equal(t, tt.initErr, err)
    81  			if err == nil {
    82  				assert.NotNil(t, db)
    83  				var targets data.Targets
    84  				err = db.Unmarshal([]byte(`{"a":"b"}`), targets, "tree", 0)
    85  				assert.Equal(t, tt.unmarshalErr, err)
    86  			}
    87  		})
    88  	}
    89  }
    90  
    91  // Test key database for compliance with TAP-12.
    92  //
    93  // Previously, every key's key ID was the SHA256 of the public key. TAP-12
    94  // allows arbitrary key IDs, with no loss in security.
    95  //
    96  // TAP-12: https://github.com/theupdateframework/taps/blob/master/tap12.md
    97  func TestTAP12(t *testing.T) {
    98  	db := NewDB()
    99  	// Need to use a signer type that supports random signatures.
   100  	key1, _ := keys.GenerateRsaKey()
   101  	key2, _ := keys.GenerateRsaKey()
   102  	msg := []byte("{}")
   103  	sig1, _ := key1.SignMessage(msg)
   104  	sig1Duplicate, _ := key1.SignMessage(msg)
   105  	assert.NotEqual(t, sig1, sig1Duplicate, "Signatures should be random")
   106  	sig2, _ := key2.SignMessage(msg)
   107  
   108  	// Idempotent: adding the same key with the same ID is okay.
   109  	assert.Nil(t, db.AddKey("key1", key1.PublicData()), "initial add")
   110  	assert.Nil(t, db.AddKey("key1", key1.PublicData()), "re-add")
   111  	// Adding a different key is allowed, unless the key ID is the same.
   112  	assert.Nil(t, db.AddKey("key2", key2.PublicData()), "different key with different ID")
   113  	assert.ErrorIs(t, db.AddKey("key1", key2.PublicData()), ErrRepeatID{"key1"}, "different key with same key ID")
   114  	assert.Nil(t, db.AddKey("key1-duplicate", key1.PublicData()), "same key with different ID should succeed")
   115  	assert.Nil(t, db.AddRole("diffkeys", &data.Role{
   116  		KeyIDs:    []string{"key1", "key2"},
   117  		Threshold: 2,
   118  	}), "adding role")
   119  	assert.Nil(t, db.AddRole("samekeys", &data.Role{
   120  		KeyIDs:    []string{"key1", "key1-alt"},
   121  		Threshold: 2,
   122  	}), "adding role")
   123  	assert.Nil(t, db.VerifySignatures(&data.Signed{
   124  		Signed:     msg,
   125  		Signatures: []data.Signature{{KeyID: "key1", Signature: sig1}, {KeyID: "key2", Signature: sig2}},
   126  	}, "diffkeys"), "Signature with different keys: ")
   127  	assert.ErrorIs(t, db.VerifySignatures(&data.Signed{
   128  		Signed:     msg,
   129  		Signatures: []data.Signature{{KeyID: "key1", Signature: sig1}, {KeyID: "key1-alt", Signature: sig1Duplicate}},
   130  	}, "samekeys"), ErrRoleThreshold{2, 1}, "Threshold signing with repeat key")
   131  }
   132  

View as plain text