constellation/internal/sigstore/sign_test.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/
package sigstore

import (
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestSignSignature(t *testing.T) {
	assert := assert.New(t)
	// Generated with: cosign generate-key-pair
	privateKey := []byte("-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----\neyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6\nOCwicCI6MX0sInNhbHQiOiJlRHVYMWRQMGtIWVRnK0xkbjcxM0tjbFVJaU92eFVX\nVXgvNi9BbitFVk5BPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94\nIiwibm9uY2UiOiJwaWhLL2txNmFXa2hqSVVHR3RVUzhTVkdHTDNIWWp4TCJ9LCJj\naXBoZXJ0ZXh0Ijoidm81SHVWRVFWcUZ2WFlQTTVPaTVaWHM5a255bndZU2dvcyth\nVklIeHcrOGFPamNZNEtvVjVmL3lHRHR0K3BHV2toanJPR1FLOWdBbmtsazFpQ0c5\na2czUXpPQTZsU2JRaHgvZlowRVRZQ0hLeElncEdPRVRyTDlDenZDemhPZXVSOXJ6\nTDcvRjBBVy9vUDVqZXR3dmJMNmQxOEhjck9kWE8yVmYxY2w0YzNLZjVRcnFSZzlN\ndlRxQWFsNXJCNHNpY1JaMVhpUUJjb0YwNHc9PSJ9\n-----END ENCRYPTED COSIGN PRIVATE KEY-----")
	password := []byte("")
	content := []byte(`["2021-01-01-01-01.json"]\n`)
	publicKey := []byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu78QgxOOcao6U91CSzEXxrKhvFTt\nJHNy+eX6EMePtDm8CnDF9HSwnTlD0itGJ/XHPQA5YX10fJAqI1y+ehlFMw==\n-----END PUBLIC KEY-----")

	testCases := map[string]struct {
		content    []byte
		password   []byte
		privateKey []byte
		wantErr    bool
	}{
		"sign content with matching password and private key": {
			content:    content,
			password:   password,
			privateKey: privateKey,
		},
		"fail with wrong password": {
			content:    content,
			password:   []byte("wrong"),
			privateKey: privateKey,
			wantErr:    true,
		},
		"fail with wrong private key": {
			content:    content,
			password:   password,
			privateKey: []byte("wrong"),
			wantErr:    true,
		},
	}
	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			signature, err := SignContent(tc.password, tc.privateKey, tc.content)
			if tc.wantErr {
				assert.Error(err)
			} else {
				assert.NoError(err)
				verifier := CosignVerifier{}
				assert.NoError(verifier.VerifySignature(tc.content, signature, publicKey))

			}
		})
	}
}
config: sign Azure versions on upload & verify on fetch (#1836) * add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> 2023-06-01 07:55:46 -04:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`
			`package sigstore`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestSignSignature(t *testing.T) {`
			`assert := assert.New(t)`
			`// Generated with: cosign generate-key-pair`
			privateKey := []byte("-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----\neyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6\nOCwicCI6MX0sInNhbHQiOiJlRHVYMWRQMGtIWVRnK0xkbjcxM0tjbFVJaU92eFVX\nVXgvNi9BbitFVk5BPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94\nIiwibm9uY2UiOiJwaWhLL2txNmFXa2hqSVVHR3RVUzhTVkdHTDNIWWp4TCJ9LCJj\naXBoZXJ0ZXh0Ijoidm81SHVWRVFWcUZ2WFlQTTVPaTVaWHM5a255bndZU2dvcyth\nVklIeHcrOGFPamNZNEtvVjVmL3lHRHR0K3BHV2toanJPR1FLOWdBbmtsazFpQ0c5\na2czUXpPQTZsU2JRaHgvZlowRVRZQ0hLeElncEdPRVRyTDlDenZDemhPZXVSOXJ6\nTDcvRjBBVy9vUDVqZXR3dmJMNmQxOEhjck9kWE8yVmYxY2w0YzNLZjVRcnFSZzlN\ndlRxQWFsNXJCNHNpY1JaMVhpUUJjb0YwNHc9PSJ9\n-----END ENCRYPTED COSIGN PRIVATE KEY-----")
			`password := []byte("")`
			content := []byte(`["2021-01-01-01-01.json"]\n`)
			`publicKey := []byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu78QgxOOcao6U91CSzEXxrKhvFTt\nJHNy+eX6EMePtDm8CnDF9HSwnTlD0itGJ/XHPQA5YX10fJAqI1y+ehlFMw==\n-----END PUBLIC KEY-----")`

			`testCases := map[string]struct {`
			`content []byte`
			`password []byte`
			`privateKey []byte`
			`wantErr bool`
			`}{`
			`"sign content with matching password and private key": {`
			`content: content,`
			`password: password,`
			`privateKey: privateKey,`
			`},`
			`"fail with wrong password": {`
			`content: content,`
			`password: []byte("wrong"),`
			`privateKey: privateKey,`
			`wantErr: true,`
			`},`
			`"fail with wrong private key": {`
			`content: content,`
			`password: password,`
			`privateKey: []byte("wrong"),`
			`wantErr: true,`
			`},`
			`}`
			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`signature, err := SignContent(tc.password, tc.privateKey, tc.content)`
			`if tc.wantErr {`
			`assert.Error(err)`
			`} else {`
			`assert.NoError(err)`
			`verifier := CosignVerifier{}`
			`assert.NoError(verifier.VerifySignature(tc.content, signature, publicKey))`

			`}`
			`})`
			`}`
			`}`