summaryrefslogtreecommitdiffstats
path: root/signerverifier/ecdsa_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'signerverifier/ecdsa_test.go')
-rw-r--r--signerverifier/ecdsa_test.go191
1 files changed, 191 insertions, 0 deletions
diff --git a/signerverifier/ecdsa_test.go b/signerverifier/ecdsa_test.go
new file mode 100644
index 0000000..71163dc
--- /dev/null
+++ b/signerverifier/ecdsa_test.go
@@ -0,0 +1,191 @@
+package signerverifier
+
+import (
+ "context"
+ "encoding/json"
+ "os"
+ "path/filepath"
+ "testing"
+
+ "github.com/secure-systems-lab/go-securesystemslib/cjson"
+ "github.com/secure-systems-lab/go-securesystemslib/dsse"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestNewECDSASignerVerifierFromSSLibKey(t *testing.T) {
+ key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key.pub"))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ sv, err := NewECDSASignerVerifierFromSSLibKey(key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expectedPublicString := "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu+HEqqpXLa48lXH9rkRygsfsCKq1\nXM36oXymJ9wxpM68nCqkrZCVnZ9lkEeCwD8qWYTNxD5yfWXwJjFh+K7qLQ==\n-----END PUBLIC KEY-----"
+ _, expectedPublicKey, err := decodeAndParsePEM([]byte(expectedPublicString))
+ assert.Nil(t, err)
+
+ assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", sv.keyID)
+ assert.Equal(t, expectedPublicKey, sv.public)
+ assert.Nil(t, sv.private)
+}
+
+func TestLoadECDSAKeyFromFile(t *testing.T) {
+ t.Run("ecdsa public key", func(t *testing.T) {
+ key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key.pub"))
+ assert.Nil(t, err)
+
+ assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", key.KeyID)
+ assert.Equal(t, "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu+HEqqpXLa48lXH9rkRygsfsCKq1\nXM36oXymJ9wxpM68nCqkrZCVnZ9lkEeCwD8qWYTNxD5yfWXwJjFh+K7qLQ==\n-----END PUBLIC KEY-----", key.KeyVal.Public)
+ assert.Equal(t, "ecdsa-sha2-nistp256", key.Scheme)
+ assert.Equal(t, ECDSAKeyType, key.KeyType)
+ })
+
+ t.Run("ecdsa private key", func(t *testing.T) {
+ key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key"))
+ assert.Nil(t, err)
+
+ assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", key.KeyID)
+ assert.Equal(t, "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu+HEqqpXLa48lXH9rkRygsfsCKq1\nXM36oXymJ9wxpM68nCqkrZCVnZ9lkEeCwD8qWYTNxD5yfWXwJjFh+K7qLQ==\n-----END PUBLIC KEY-----", key.KeyVal.Public)
+ assert.Equal(t, "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAo6DxXlgqYy+TkvocIOyWlqA3KVtp6dlSY7lS3kkeEMoAoGCCqGSM49\nAwEHoUQDQgAEu+HEqqpXLa48lXH9rkRygsfsCKq1XM36oXymJ9wxpM68nCqkrZCV\nnZ9lkEeCwD8qWYTNxD5yfWXwJjFh+K7qLQ==\n-----END EC PRIVATE KEY-----", key.KeyVal.Private)
+ assert.Equal(t, "ecdsa-sha2-nistp256", key.Scheme)
+ assert.Equal(t, ECDSAKeyType, key.KeyType)
+ })
+
+ t.Run("invalid path", func(t *testing.T) {
+ _, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "invalid"))
+ assert.ErrorContains(t, err, "unable to load ECDSA key from file")
+ })
+}
+
+func TestECDSASignerVerifierSign(t *testing.T) {
+ t.Run("using valid key", func(t *testing.T) {
+ key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key"))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ sv, err := NewECDSASignerVerifierFromSSLibKey(key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ message := []byte("test message")
+
+ signature, err := sv.Sign(context.Background(), message)
+ assert.Nil(t, err)
+
+ err = sv.Verify(context.Background(), message, signature)
+ assert.Nil(t, err)
+ })
+
+ t.Run("using invalid key", func(t *testing.T) {
+ key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key.pub"))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ sv, err := NewECDSASignerVerifierFromSSLibKey(key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ message := []byte("test message")
+
+ _, err = sv.Sign(context.Background(), message)
+ assert.ErrorIs(t, err, ErrNotPrivateKey)
+ })
+}
+
+func TestECDSASignerVerifierWithDSSEEnvelope(t *testing.T) {
+ key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key"))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ sv, err := NewECDSASignerVerifierFromSSLibKey(key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ payloadType := "application/vnd.dsse+json"
+ payload := []byte("test message")
+
+ es, err := dsse.NewEnvelopeSigner(sv)
+ if err != nil {
+ t.Error(err)
+ }
+
+ env, err := es.SignPayload(context.Background(), payloadType, payload)
+ if err != nil {
+ t.Error(err)
+ }
+
+ assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", env.Signatures[0].KeyID)
+ envPayload, err := env.DecodeB64Payload()
+ assert.Equal(t, payload, envPayload)
+ assert.Nil(t, err)
+
+ key, err = LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key.pub"))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ sv, err = NewECDSASignerVerifierFromSSLibKey(key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ ev, err := dsse.NewEnvelopeVerifier(sv)
+ if err != nil {
+ t.Error(err)
+ }
+
+ acceptedKeys, err := ev.Verify(context.Background(), env)
+ assert.Nil(t, err)
+ assert.Equal(t, "98adf38602c48c5479e9a991ee3f8cbf541ee4f985e00f7a5fc4148d9a45b704", acceptedKeys[0].KeyID)
+}
+
+func TestECDSASignerVerifierWithMetablockFile(t *testing.T) {
+ key, err := LoadECDSAKeyFromFile(filepath.Join("test-data", "ecdsa-test-key.pub"))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ sv, err := NewECDSASignerVerifierFromSSLibKey(key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ metadataBytes, err := os.ReadFile(filepath.Join("test-data", "test-ecdsa.98adf386.link"))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ mb := struct {
+ Signatures []struct {
+ KeyID string `json:"keyid"`
+ Sig string `json:"sig"`
+ } `json:"signatures"`
+ Signed any `json:"signed"`
+ }{}
+
+ if err := json.Unmarshal(metadataBytes, &mb); err != nil {
+ t.Fatal(err)
+ }
+
+ assert.Equal(t, "304502201fbb03c0937504182a48c66f9218bdcb2e99a07ada273e92e5e543867f98c8d7022100dbfa7bbf74fd76d76c1d08676419cba85bbd81dfb000f3ac6a786693ddc508f5", mb.Signatures[0].Sig)
+ assert.Equal(t, sv.keyID, mb.Signatures[0].KeyID)
+
+ encodedBytes, err := cjson.EncodeCanonical(mb.Signed)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ decodedSig := hexDecode(t, mb.Signatures[0].Sig)
+
+ err = sv.Verify(context.Background(), encodedBytes, decodedSig)
+ assert.Nil(t, err)
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 08:56:59 +0000